Hello everyone, I'm having trouble with running

pulumi up

via the

pulumi/actions@v6

github action. I've switched authentication to the pulumi Github OIDC client with the

pulumi/auth-actions@v1

action. My organzation is on a Pulumi Team plan, and a Github free plan. Authetication works, but for some reason, secrets cannot be correctly deciphered. When I run the same action with an access token, everything works fine. Here's the relevant part of the workflow:

- name: Perform pulumi login :key:
        uses: pulumi/auth-actions@v1
        with:
          organization: my-pulumi-org
          requested-token-type: urn:pulumi:token-type:access_token:personal
          scope: user:my-technical-user
          export-environment-variables: true


      - if: inputs.state == 'up'
        name: Provision :rocket:
        uses: pulumi/actions@v6
#        # When I run with an access token, everything works
#        env:
#          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
        with:
          command: up
          stack-name: ${{ inputs.stage }}
          work-dir: path/to/stack
          upsert: true

And here's the corresponding Github actions log output

Run pulumi/actions@v6
  with:
    command: up
    stack-name: dev
    work-dir: path/to/stack
    upsert: true
    comment-on-pr: false
    comment-on-summary: false
    github-token: ***
    expect-no-changes: false
    diff: false
    exclude-dependents: false
    target-dependents: false
    refresh: false
    remove: false
    edit-pr-comment: true
    color: auto
    exclude-protected: false
    suppress-outputs: false
    suppress-progress: false
    always-include-summary: false
    continue-on-error: false
    log-flow: false
    debug: false
  env:
    pythonLocation: /opt/hostedtoolcache/Python/3.13.3/x64
    PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.13.3/x64/lib/pkgconfig
    Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.3/x64
    Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.3/x64
    Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.3/x64
    LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.13.3/x64/lib
    PULUMI_ACCESS_TOKEN: ***
Configured range:
/usr/local/bin/pulumi version
v3.166.0
warning: A new version of Pulumi is available. To upgrade from version '3.166.0' to '3.169.0', visit <https://pulumi.com/docs/install/> for manual instructions and release notes.
Pulumi version 3.166.0 is already installed on this machine. Skipping download
Logging into the Pulumi Cloud backend.
pulumi up on dev
  Updating (dev)
  View Live: <https://app.pulumi.com/my-technical-user/my-project/dev/updates/4>
  /home/runner/work/_actions/pulumi/actions/v6/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:81
                      : new CommandError(result);
  ^
  CommandError: code: -2
   stdout:
   stderr: Command failed with exit code 255: pulumi up --yes --skip-preview --exec-agent pulumi/actions@v6 --color auto --exec-kind auto.local --stack dev --non-interactive
  error: failed to decrypt configuration key 'thesecret:token': [400] Bad Request: invalid ciphertext
  Updating (dev)
  View Live: <https://app.pulumi.com/my-technical-user/my-project/dev/updates/4>
   err?: Error: Command failed with exit code 255: pulumi up --yes --skip-preview --exec-agent pulumi/actions@v6 --color auto --exec-kind auto.local --stack dev --non-interactive
  error: failed to decrypt configuration key 'thesecret:token': [400] Bad Request: invalid ciphertext
  Updating (dev)
  View Live: <https://app.pulumi.com/my-technical-user/my-project/dev/updates/4>
      at Object.createCommandError (/home/runner/work/_actions/pulumi/actions/v6/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:81:1)
      at exec (/home/runner/work/_actions/pulumi/actions/v6/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/cmd.js:186:1)
      at processTicksAndRejections (node:internal/process/task_queues:95:5)
      at Stack.runPulumiCmd (/home/runner/work/_actions/pulumi/actions/v6/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/stack.js:902:1)
      at Stack.up (/home/runner/work/_actions/pulumi/actions/v6/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/stack.js:257:1)

Are the secrets stored in the stack, or in another resource (ESC, vault, etc.)? If they're in the stack, can you confirm that the access token you're getting via the OIDC auth is for the same user as the access token that works?

The secrets are stored in the stack, and the stack resides in pulumi cloud.

Yes my question was confusing, since the token provides a role not a user. But what I meant was, can you check the provided role (the one that is linked with the OIDC config) has the same or equivalent privileges as the user that the access token corresponds to?

Ah, I see, thanks for the clarification. The technical user has "Member" permissions in our Pulumi org. The Access Token with which the pipeline works is an organization token.

To investigate further: would you consider creating a normal access token for my-technical-user, and using that in the pipeline once? If that fails in the same way, then the problem is with the user. If it works, then I think you may have to raise a support issue with Pulumi.

Thanks for the suggestion. I'll check it out.