No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi all, trying to diagnose an issue in production with our Pulumi pipeline. It uses and AzureAD Provider (Terraform under the covers?) with a clientid/secret as follows:

`var userTenantProvider = new Provider("UserTenantProvider", new ProviderArgs`
`{`
    `TenantId = _config.Environment.ActiveDirectory.UserTenantId,`
    `ClientId = _userTenantProviderConfig.ClientId,`
    `ClientSecret = _userTenantProviderConfig.ClientSecret`
`});`

The secret has been rotated and the new one is passed into the pipeline. However the pipeline still fails with the following message:

_building client: unable to obtain access token: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '[secret]'._

The pipeline was working fine before the secret changed, it's as if the old one is cached somewhere. Any ideas?

Hmm it looks as if it's a problem with refresh. By skipping the stack refresh, the pipeline succeeded.