Hello, all, I have a working setup configured like this: • Pulumi with Azure State Backend • Azure AppRegistration exclusive for Pulumi use, with all the proper permissions configured • Github Actions CI, using azure/login action with OIDC with the corresponding ServicePrincipal related to the above appReg • pulumi/action also using OIDC and running all the relevant commands, like preview and up • Since some of the actions need to interact with our private Azure network, it runs on self-hosted Github Runners (Azure VM), which have connectivity with the private resources. All was working well, until we needed for some unrelated reason to add a system assigned managed identity (aka SMI) to the VMs. As soon as the VM got the identity, we started getting errors when trying to login to Pulumi, with 403 errors towards the state backend storage. Debugging this, we found out the clientId being used for this request is the SMI, not our previous one, even though all the variables seem to be properly informed. I tried dozens of methods to try to make pulumi not use SMI but nothing worked. As soon as we removed SMI, all started working again. I don't want to give permissions for SMI because we already have a user which is configured and since some of the actions do not need to run locally, we still use Github public runner for some tasks. I don't want to replicate these permissions for each runner copy plus one extra one for the public ones. Any ideas on how can we make pulumi (or implicitly Go Azure SDK login mechanism) to ignore the SMI when logging in and using the supplied clientId? Current GHA code:

- name: Azure login
      uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
      with:
        client-id: ${{ inputs.AZURE_CLIENT_ID }}
        tenant-id: ${{ inputs.AZURE_TENANT_ID }}
        subscription-id: ${{ inputs.AZURE_SUBSCRIPTION_ID }}

    - name: Pulumi Command
      id: pulumi
      uses: pulumi/actions@v6.3.0
      with:
        command: ${{ inputs.PULUMI_COMMAND }}
        stack-name: ${{ inputs.PULUMI_STACK_NAME }}
        work-dir: ${{ inputs.WORKING_DIR }}
        cloud-url: <azblob://pulumi-state?storage_account=><redacted>${{ inputs.ENVIRONMENT_NAME }}
        comment-on-pr: true
        edit-pr-comment: false
        diff: ${{ inputs.DIFF }}
        upsert: true
        secrets-provider: azurekeyvault://<redacted>${{ inputs.ENVIRONMENT_NAME }}-01.vault.azure.net/keys/pulumi-key
        suppress-progress: true
      env:
        ARM_USE_OIDC: true
        ARM_CLIENT_ID: ${{ inputs.AZURE_CLIENT_ID }}
        ARM_TENANT_ID: ${{ inputs.AZURE_TENANT_ID }}
        ARM_SUBSCRIPTION_ID: ${{ inputs.AZURE_SUBSCRIPTION_ID }}
        AZURE_KEYVAULT_AUTH_VIA_CLI: true