Hey everyone, I'm running Pulumi in Azure Pipelines, using Google Cloud Storage as state backend. The code works fine when executed from the terminal, but in Azure I get errors:

/azp/_work/_temp/0b544aa4-92cf-435d-8251-f13c7d45afb7/pulumi/pulumi login gs://***-pulumi-state
Logged in to ado-agent-7f5785674-jk6mj as root (gs://***-pulumi-state)

/azp/_work/_temp/0b544aa4-92cf-435d-8251-f13c7d45afb7/pulumi/pulumi stack select base -c
error: failed to load checkpoint: blob (key ".pulumi/stacks/base.json") (code=Unknown): Get "<https://storage.googleapis.com/***-pulumi-state/.pulumi/stacks/base.json>": oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"invalid_grant","error_description":"Invalid grant: account not found"}

##[error]Failed to select the stack 'base'.

I saw a similar thread for a case where developer was using Azure Blob Storage and it turned out that he had to set some additional env vars, is this the same case here?

this looks like your service account doesn't have permission to your GCS bucket

By activating service account

gcloud auth activate-service-account --key-file=$(authkey.secureFilePath)

yeah I agree, a quick google of "invalid grant" does throw a lot of google related issues, so it does feel like a google perm issue though

@billowy-army-68599 thanks, got it figured out - Pulumi wouldn't accept any authentication methods except env var 🙂