Is there any chance to use Azure CLI to authenticate against Azure BlobStorage when using it as a custom pulumi backend?

You mean storing state in blob storage? Then using the CLI to generate a SASKey?

u mean using Azure CLI to generate SASKey?

Yes, that's what we do.

where do you store this secret?

I set this:

AZURE_KEYVAULT_AUTH_VIA_CLI=true
AZURE_STORAGE_ACCOUNT=the-name-of-the-storage-account-resource
AZURE_STORAGE_KEY=one-of-the-two-storage-keys-on-the-keyvault-not-a-url-to-anything

@better-shampoo-48884 thank you for your reply. My question is, why this is so complicated, when it could be so much easier? Imo pulumi should just enable Azure Ad authentication for blob storage. Then I just could use the user/principal of Azure Cli. Or am I overseeing something here?

I think it's fairly typical to use these keys for integration work. and when dealing with ci/cd, it's typically system-to-system integration - and it seems like keys are the prefered option when it comes to storage accounts. "go figure".

@better-shampoo-48884 It maybe typical to use SAS token, but it is a general good practice to avoid any secrets. Also Microsoft is recommending to not use SAS, but use Azure AD instead. "Azure AD provides superior security and ease of use over Shared Key for authorizing requests to Blob storage. For more information, see Authorize access to Azure blobs and queues using Azure Active Directory." (https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#identity-and-access-management)