This message was deleted.

Not stupid. Great question. It comes up quite frequently at my place of work. The answer is on https://www.pulumi.com/docs/intro/concepts/state/ For Azure:

This backend requires setting the environment variables AZURE_STORAGE_ACCOUNT and either AZURE_STORAGE_KEY or AZURE_STORAGE_SAS_TOKEN.

For AWS:

Also see AWS Session for configuring credentials for this backend.

So essentially: only the default session and credentials are used. You can configure any profile and assume any role in the main pulumi program, but the backend uses the normal SDK method of authorizing via env var creds.

thanks @little-cartoon-10569. One follow up question. I think the cloud storage is working, but I also use

--secrets-provider

when I initialize the stack, and that seems to be using my logged in user. How do I use a service provider account for that? Do I need to sign in with the service principal?

In the secrets provider section of that page (https://www.pulumi.com/docs/intro/concepts/config/#initializing-a-stack-with-alternative-encryption), each secrets provider section says how it authenticates. For example, awskms says

If you have previously configured the AWS CLI, the same credentials will be used. These can also be overridden using the standard AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

So that's the same as the backend provider, and different from the resource (main Pulumi project) provider.