Hye guys, I have run into the issue with pulumi refresh bash command and OICD authentication with AzureProvider in github pipeline. We are able to setup the OICD authentication without any problem, but unfortunately, we are unable to use the pulumi refresh as it is using Azure provider from pulumi state. Im getting:

error: Preview failed: OIDC authentication was requested via useOidc/ARM_USE_OIDC but no token or request URL were
configured. See <https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#credentials> for more information.

I tried to check different sources but I was not able to find the way how to get it work. Did any of you solve this?

Have you looked at the new

--run-program

option for refresh? https://www.pulumi.com/blog/improved-refresh-destroy-experience/ That will re-run the program to refresh credentials for refresh the same way it would for up.

Hi, no I didnt, going to look at it. Thanks.

I don't follow. The program running in up would also depend on those things.

Normally how it worked so far was that the Github pipeline started the pulumi code and it worked becuause all dependecies were in place and we used client secret for azure provider. (so also local pulumi refresh worked as the client secret was static and the azure provider didnt need to "refresh" itself) During the refresh we didnt refreshed any configuration it was just the AZURE state vs pulumi state.

right yeh, you need the same credentials on each machine. The credentials saved to state aren't always long lasting to be able to be used on other machines (depends on the provider and auth method).

Hi, sorry it was a bit late for me yesterday. So to wrap it up there should be always single platform to process and provide pulumi's operations. Pulumi CLI worked on another platform (development machine) just because of the static client secret used in the Azure provider and with other auth methods, it wont work anymore. Based on what you said about the credentials, thats single issue but there is also the configuration context which is tighly coupled with Github right now.

always single platform to process and provide pulumi's operations

You don't have to just have one platform, you just have to make sure that everywhere that runs it can auth in some way. They don't even have to be the same auth methods.

Sorry but the auth method is coupled to the Azure provider. Do you have some example how to setup different auth methods? Or how to dynamically resolve the e.g. ClientId? Or maybe if we would not fill any auth method it will take the context one? So it would be possible to get the "local" az login context? But there is still the configuration issue i believe. (Running the pulumi refreshe without --run-program would result in wrong state of not refreshing used context for provider right?)

Or maybe if we would not fill any auth method it will take the context one? So it would be possible to get the "local" az login context?

Yeh if you don't set any config most providers will pull ambient config. Sometimes you just need to change config between CI and local though.

But there is still the configuration issue i believe. (Running the pulumi refreshe without --run-program would result in wrong state of not refreshing used context for provider right?)

Yes, I don't think there's really a lot to help there except making sure you always use --run-program. We're looking at making that the default in the future because of reasons like this.

Thanks for the help and clarification 🙂