This message was deleted.

@creamy-fall-88031 full walkthrough of all clouds here: https://www.leebriggs.co.uk/blog/2022/01/23/gha-cloud-credentials.html example code to set it up: https://github.com/jaxxstorm/secure-cloud-access/tree/main/azure

This is exactly the tutorial I was following. As I wrote, logging in with the github actions example from this tutorial has no issues. But once I extend it to actually deploy some pulumi code - it fails with the error. So this part:

uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

works. This one fails:

- uses: pulumi/actions@v3
        with:
          command: up
          stack-name: dev
          cloud-url: <azblob://state>       
        env:
          PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
          AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
          AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
          AZURE_KEYVAULT_AUTH_VIA_CLI: true

are you using an OSS backend?

self managed, state should be saved in azure blob file

okay, so auth'ing with oidc means you're logged in as a service principal, example: https://github.com/jaxxstorm/secure-cloud-access/runs/4914761413?check_suite_focus=true#step:3:20 i'm not sure where the error is coming from, it should work

Hi again. Thank you very much for trying to help me. I just figured it out that actually you wrote the tutorial. 😄 So one more thing to thank you for. Just a small update. Although I've meddled with this issue for several days now, I was not able to make a successful deployment. The

azure/login@v1

action works without any issues just as you described in your tutorial, but the actual deployment via

pulumi/actions@v3

always fails when deploying via OIDC. At this point I had to return to service principal authentication and store the secret at Github.