Pulumi self-managed backend "unable to validate token" in CI
Pulumi tried to validate its stored credential against the self-managed backend it is configured for, and the backend did not accept it. The login state and the backend expectation are out of sync.
What this error means
A Pulumi step against a self-managed backend (S3, Azure Blob, GCS, or a self-hosted service) fails with "error: unable to validate token" before running your program.
error: unable to validate token: getting user info: 401 UnauthorizedCommon causes
Stale login state from a different backend
A cached credentials file points at one backend while CI expects another, so the token cannot be validated where it is used.
The self-hosted service rejected the credential
A self-hosted Pulumi service returned an authentication failure because the token is wrong for that instance.
How to fix it
Log in explicitly to the intended backend
- Log out to clear any stale credential state.
- Log in to the exact backend URL CI should use.
- Re-run the Pulumi command.
pulumi logout
pulumi login https://pulumi.internal.example.comSet the backend URL for the job
Pin the backend with PULUMI_BACKEND_URL so every step targets the same backend the token is valid for.
env:
PULUMI_BACKEND_URL: s3://my-pulumi-stateHow to prevent it
- Pin
PULUMI_BACKEND_URLso CI always targets one backend. - Log out then log in at the start of the job to avoid stale state.
- Keep credentials scoped to the specific self-managed backend.