In other news, I'm trying to set up my newly created KeyVault as a backend - seeing as this is more to do with standard pulumi features than the azure provider, I figured it might be appropriate here rather than the azure channel.. Running:

pulumi new azure-typescript --secrets-provider <azurekeyvault://n00531.vault.azure.net/keys/pulumi-secrets> --logflow --logtostderr --verbose 9

Results in a typical flow, and I have created the key "pulumi-secrets", and the KeyVault was created by a stack (with local secrets and backend), but trying to set up a new stack like the command above results in this:

created stack 'sdfsf'
Sorry, could not create stack 'sdfsf': secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://(myvaultname).<http://vault.azure.net/keys/pulumi-secrets//encrypt?api-version=7.0|vault.azure.net/keys/pulumi-secrets//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get "<http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>": dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'

I'm actually fairly curious as to where that IP for the refresh token is coming from.. I've had no such problems running

pulumi up

just by being logged in by virtue of az cli.. (Edit: resolved - I did the hard work of doing everything except reading the last line of https://www.pulumi.com/docs/intro/concepts/secrets/#azure-key-vault where it tells me that if I want to use az cli auth with keyvault secrets I need to set

AZURE_KEYVAULT_AUTH_VIA_CLI

to

true

.)