I'm somewhat stuck on using azure-native:subscriptionId / tenantId / client and clientSecret. The docs state that this can be used to auth via a service principal. I've found it to be true, but ONLY if I login via the az cli first. I tried using the ARM_xxxx env vars, and this worked well - in the sense that I could be completely logged out of the "az cli" tool, and the deployments succeeded. But that means I need to set up the ARM env vars, which is really only good in a CI/CD sense. Am I missing something? I do actually need to be logged into the az cli system, and Pulumi will then pick out those azure-native values for use by the provider? Ref: https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#option-2-use-a-service-principal

FWIW, I'm in the middle of doing this kind of work right now. Within Github Actions, I set the

ARM_CLIENT_ID

, etc. environment variables via the

secrets

context (e.g.

${{ secrets.PULUMI_ARM_CLIENT_ID_DEV }}

). For this scenario, the Pulumi Github action works without any kind of az cli login. When I'm running the same Pulumi program interactively (e.g. at a Powershell shell), I'm logged in via

az login

. But I don't have any reason to think that if I set the 4

ARM_

environment variables that

pulumi up

wouldn't work - without being logged in to the az cli. Is that what you're asking? Does that help?

It is what I'm asking - and yep, I can confirm that using the ARM_ variables it works. What I was led to believe from the docs (could be my mistake in the interpretation though) is that this would work only with the pulumi stack config and no az login. Doesn't seem to be the case.