No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

hmmm idk. The fact that it is a `CommandResult` indicates that the Automation API is just forwarding you an error that the CLI threw.

When you provide a `projectSettings` object the `LocalWorkspace.CreateOrSelectStack` method should be serializing that into a project setting YAML.

So, the first thing I would do is verify that the project settings YAML that is generated, in the temp directory that it creates, has the secrets provider as you expect it to.

If it does, than I would try the same configuration using the CLI - not the Automation API - and see if you get the same error.

If you don't, than it is an Automation API issue. If you do, than it is either a CLI issue or is an issue with your configuration

When you use an inline program without specifying a working directory, it puts the pulumi.yaml and pulumi.stack.yaml in a temporary directory. You may need to save or populate those files on your own.

I just set `workDir: ".",` now, and Pulumi.yaml showed up in the directory (no stack yaml though). Same error - so I'm guessing it needs a passphrase to establish a stack then it converts that to secrets-store afterwards..

Think I figured it out.. it's a logging issue I think.. creating the stack manually with the --secrets-provider gave me a token issue for keyvault, which reminded me that I needed to set AZURE_KEYVAULT_AUTH_VIA_CLI, so when I update the code to:
```const stack = await pulumi.LocalWorkspace.createOrSelectStack({
        projectName: "k8s-baseline",
        program: pulumiProgram,
        stackName: currentStack
    },{
        envVars: {
            AZURE_KEYVAULT_AUTH_VIA_CLI: "true",
        }, 
        projectSettings: {
           ....
        },
        workDir: ".",
        secretsProvider: "<azurekeyvault://xxxxx.vault.azure.net/keys/pulumi>"
    })```
it works without complaint

so the issue is simply this: when auth for secretsprovider fails, pulumi automation silently ignores this and prompts for passphrase.

Automation issues.. do they go in pulumi/pulumi or is there somewhere else for automation?

Yes <https://github.com/pulumi/pulumi/issues/new?assignees=&amp;labels=kind%2Fbug&amp;template=0-bug-report.md>