How do I use assumeRoleWithWebIdentity to setup and access resources on AWS ?

const roleToAssumeARN = String(process.env.ROLE_ARN);
        const sessionName = String(`"GitLabRunner-${process.env.CI_PROJECT_ID}-${process.env.CI_PIPELINE_ID}"`);
        const webIdentityToken = String(process.env.GITLAB_OIDC_TOKEN);

        console.log(`Looking at ${roleToAssumeARN} with ${sessionName}`)
        const awsProvider = new aws.Provider("privileged", {
            assumeRoleWithWebIdentity: {
                roleArn: roleToAssumeARN,
                sessionName: sessionName,
                webIdentityToken: webIdentityToken,
                duration: "600",
            },
            region: aws.config.requireRegion(),
        });
        provider = { provider: awsProvider };
...
const contentBucket = new aws.s3.Bucket(`wwwBucket-${currentStack}`, {}, provider);

The error

pulumi:providers:aws (privileged):
    error: rpc error: code = Unknown desc = unable to validate AWS credentials.
    Details: no valid credential sources for Pulumi AWS Classic found.
    
    Please see <https://www.pulumi.com/registry/packages/aws/installation-configuration/>
    for more information about providing credentials.
    
    AWS Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded

This is the nearest hit - https://github.com/pulumi/pulumi-aws/issues/2425 I am able to validate the token are correct from cli using aws sts.