Pulumi Day-2. I am experiencing an Azure 403 authorization exception when running my C# Pulumi automation api program direct from the command line or as a debug run within Visual Studio, the 403 is thrown at the first resource access after stack.UpAsync(). The exception details indicate Pulumi is using the service principal config values I set up in code via stack.SetConfigAsync(). I suspect I have not copied the correct values from the Azure Dashboard because there are some differences in terminology between the Azure dashboard and the following 4 configure values I am providing in code: "azure-native:clientId", "azure-native:clientSecret", "azure-native:tenantId" and "azure-native:subscriptionId". Within the Dashboard the following values are available: Display name Application (client) ID Object ID Directory (tenant) ID Secret-ID Secret value Subscription ID

this might be your best next read: https://docs.microsoft.com/en-us/graph/resolve-auth-errors

Hmm re. the tenantID, I used the value from the Azure Enterprise Application I set up via the dashboard. I do not recall giving the enterprise application authorization to access the Azure resource management API's and just hoped this would cascade through from my main subscription. I will keep digging, I had assumed the first successful automation run would take a day to debug.

An you share some of your code?

@billowy-army-68599 Thanks for the offer to look at my code. I have resolved the problem myself, I had to add my automation program (Enterprise Application in Azure terminology) as an Access Control role for my main Azure subscription. This was done via the Azure Portal. Previously I had done the same for the fixed manually created resource-group used for all my Pulumi automation api deployments. This was a partial fix but the broader Pulumi resource api queries such as those issued by pulumi refresh failed without the role assignment to the main subscription.