Pulumi "problem logging in: 401" in CI
Pulumi reached the Cloud backend and sent a token, but the server returned 401 Unauthorized. A value is present, so this is a bad, expired, or revoked token rather than a missing one.
What this error means
A Pulumi step fails with "error: problem logging in:" followed by a 401 response from the backend URL. It differs from the "must be set" error because a token was actually sent.
error: problem logging in: getting user info from https://api.pulumi.com:
GET https://api.pulumi.com/api/user: 401 UnauthorizedCommon causes
The token is expired or was revoked
Pulumi Cloud rejected the credential because it is no longer valid, so authentication returns 401.
The secret holds a malformed token
A truncated or whitespace-padded token is transmitted but does not authenticate, producing 401.
How to fix it
Issue and store a fresh token
- Create a new access token in Pulumi Cloud.
- Replace the CI secret with the new value, with no extra whitespace.
- Re-run the login-dependent step.
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}Confirm the backend URL matches the token
A token for Pulumi Cloud will 401 against a self-managed backend and vice versa. Point pulumi login at the backend the token belongs to.
pulumi login https://api.pulumi.comHow to prevent it
- Rotate CI tokens before they expire and update the secret promptly.
- Use a dedicated CI token so revoking a person does not break pipelines.
- Keep the login backend URL consistent with the token type.