sorry for late reply, i'm using a self built docker image and some python logic to control deploys.. the question is not where to store the secret, but how to get the pulumi auth credential that I can inject into a CI system which will authorize pulumi. If we were using, say AWS Codebuild, the AZ service principal vars would get injected allowing access to the AZ resources, but I'd need that PULUMI_ACCESS_TOKEN to authorize pulumi as well.. just not sure how/where to get it