Skip to content
Latchkey

Pulumi self-managed backend "unable to validate token" in CI

Pulumi tried to validate its stored credential against the self-managed backend it is configured for, and the backend did not accept it. The login state and the backend expectation are out of sync.

What this error means

A Pulumi step against a self-managed backend (S3, Azure Blob, GCS, or a self-hosted service) fails with "error: unable to validate token" before running your program.

pulumi
error: unable to validate token: getting user info: 401 Unauthorized

Common causes

Stale login state from a different backend

A cached credentials file points at one backend while CI expects another, so the token cannot be validated where it is used.

The self-hosted service rejected the credential

A self-hosted Pulumi service returned an authentication failure because the token is wrong for that instance.

How to fix it

Log in explicitly to the intended backend

  1. Log out to clear any stale credential state.
  2. Log in to the exact backend URL CI should use.
  3. Re-run the Pulumi command.
Terminal
pulumi logout
pulumi login https://pulumi.internal.example.com

Set the backend URL for the job

Pin the backend with PULUMI_BACKEND_URL so every step targets the same backend the token is valid for.

.github/workflows/ci.yml
env:
  PULUMI_BACKEND_URL: s3://my-pulumi-state

How to prevent it

  • Pin PULUMI_BACKEND_URL so CI always targets one backend.
  • Log out then log in at the start of the job to avoid stale state.
  • Keep credentials scoped to the specific self-managed backend.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →