No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Essentially it seems to be doing <https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http>
But I'm running this from my laptop.. which is definitely not a machine running in Azure.

Right - a bit of digging around figured it out. So this is the thing:
• secrets backend for pulumi -&gt; keyvault: <https://github.com/pulumi/pulumi/blob/c20bdbe945df331447f64c6d629387ee70c781ba/pkg/secrets/cloud/manager.go#L26>
• Found that at <https://pkg.go.dev/gocloud.dev/secrets/azurekeyvault#hdr-URLs>
• That includes the instruction:
&gt; The default URL opener will use Dial, which gets default credentials from the environment, unless the AZURE_KEYVAULT_AUTH_VIA_CLI environment variable is set to true, in which case it uses DialUsingCLIAuth to get credentials from the "az" command line.
Thus, setting that environment variable on my machine made everything happy. Should we perhaps update docs with this info?

And, had I bothered to read the last line of documentation, I would even have seen that it actually said exactly that. Good job me. /closes fork