Hey I have a weird one that I'm bashing my head against simply with a login to an azure blob state. I've been using this account for years and it works just fine, I've converted my azure service principal to use OIDC and on one machine the login works totally fine, on another it fails with a 403. I'm imagining it's environment specific, but the verbose logging from a login just gives back the 403 permission issue • I know the permissions for the account are fine as I can run the same script on a different box just fine and it's historically worked without a federation • I have matched the pulumi and azure cli versions in both environments (Pulumi v3.167.0) • I'm using the same script in both to do the login Is there anything else I can crank up to give me some ideas? My only thinking is that pulumi is not picking up the federated credentials authentication, but from the logging I have no way to tell why sad panda Here's my small script which is running inside an azure devops task with a preauthenticated az cli

curl -sSL <https://get.pulumi.com> | sh
        /home/AzDevOps/.pulumi/bin/pulumi version --verbose=9
        export ARM_CLIENT_ID=${servicePrincipalId}
        export ARM_TENANT_ID=${tenantId}
        export ARM_SUBSCRIPTION_ID=$(az account show --query id -o tsv)
        export ARM_USE_OIDC=true
        export ARM_OIDC_TOKEN=${idToken}
        printenv
        /home/AzDevOps/.pulumi/bin/pulumi logout --all
        /home/AzDevOps/.pulumi/bin/pulumi login <azblob://pulumi-state?storage_account=MYBLOBSTORAGE> -v=11 --logtostderr 2> out.txt
        cat out.txt

And the output

W0508 09:00:40.013347   54816 pulumi.go:264] log level 11 will print sensitive information such as api tokens and request headers
I0508 09:00:40.143198   54816 sink.go:178] defaultSink::Error(error: problem logging in: read ".pulumi/meta.yaml": blob (key ".pulumi/meta.yaml") (code=Unknown): GET <https://MYBLOBSTORAGE.blob.core.windows.net/pulumi-state/.pulumi/meta.yaml>
--------------------------------------------------------------------------------
RESPONSE 403: 403 This request is not authorized to perform this operation using this permission.
ERROR CODE: AuthorizationPermissionMismatch
--------------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.
RequestId:7d0c4368-a01e-0060-6ff7-bf12cf000000
Time:2025-05-08T09:00:40.1352380Z</Message></Error>
--------------------------------------------------------------------------------
)

Any help would be much appreciated! pulumi logo