No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

You mean storing state in blob storage? Then using the CLI to generate a SASKey?

u mean using Azure CLI to generate SASKey?

I set this:
```AZURE_KEYVAULT_AUTH_VIA_CLI=true
AZURE_STORAGE_ACCOUNT=the-name-of-the-storage-account-resource
AZURE_STORAGE_KEY=one-of-the-two-storage-keys-on-the-keyvault-not-a-url-to-anything```


image.png

AZURE_STORAGE_KEY being one of these two:

and a good place to store that for ci/cd would be keyvault

<@U01Q2NASYN9> thank you for your reply. My question is, why this is so complicated, when it could be so much easier? Imo pulumi should just enable Azure Ad authentication for blob storage. Then I just could use the user/principal of Azure Cli. Or am I overseeing something here?

I think it's fairly typical to use these keys for integration work. and when dealing with ci/cd, it's typically system-to-system integration - and it seems like keys are the prefered option when it comes to storage accounts. "go figure".

<@U01Q2NASYN9> It maybe typical to use SAS token, but it is a general good practice to avoid any secrets. Also Microsoft is recommending to not use SAS, but use Azure AD instead.

"Azure AD provides superior security and ease of use over Shared Key for authorizing requests to Blob storage. For more information, see <https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad|Authorize access to Azure blobs and queues using Azure Active Directory>."

(<https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#identity-and-access-management>)

Maybe <@UB39JFCKC> can shed some light here.