Skip to content
Latchkey

Pulumi "problem logging in: 401" in CI

Pulumi reached the Cloud backend and sent a token, but the server returned 401 Unauthorized. A value is present, so this is a bad, expired, or revoked token rather than a missing one.

What this error means

A Pulumi step fails with "error: problem logging in:" followed by a 401 response from the backend URL. It differs from the "must be set" error because a token was actually sent.

pulumi
error: problem logging in: getting user info from https://api.pulumi.com:
GET https://api.pulumi.com/api/user: 401 Unauthorized

Common causes

The token is expired or was revoked

Pulumi Cloud rejected the credential because it is no longer valid, so authentication returns 401.

The secret holds a malformed token

A truncated or whitespace-padded token is transmitted but does not authenticate, producing 401.

How to fix it

Issue and store a fresh token

  1. Create a new access token in Pulumi Cloud.
  2. Replace the CI secret with the new value, with no extra whitespace.
  3. Re-run the login-dependent step.
.github/workflows/ci.yml
env:
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}

Confirm the backend URL matches the token

A token for Pulumi Cloud will 401 against a self-managed backend and vice versa. Point pulumi login at the backend the token belongs to.

Terminal
pulumi login https://api.pulumi.com

How to prevent it

  • Rotate CI tokens before they expire and update the secret promptly.
  • Use a dedicated CI token so revoking a person does not break pipelines.
  • Keep the login backend URL consistent with the token type.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →