are there any guides on creating an IAM user to be used with pulumi CLI? it's hard to find because there is so much other content about using pulumi to manage IAM resources

@icy-controller-6092 are you talking about the iam user with perms to use pulumi?

Hey @billowy-army-68599 this is for perms to deploy aws resources: https://pulumi-community.slack.com/archives/CRH5ENVDX/p1688686095609669?thread_ts=1688624684.717019&cid=CRH5ENVDX

you likely don’t want an IAM user really, it’s not the ideal way. I wrote a blog post here on the how to auth to AWS the right way: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way the tl;dr is, for CI/CD - use OIDC for human users, use SSO If you don’t want to do that, you can define an IAM user and create credentials for it like this: https://github.com/jaxxstorm/pulumi-examples/blob/542cb445791885e0f53cf834fcd95b613d900139/typescript/aws/assume_role/index.ts#L5

ah thanks, AWS did try to tell me about SSO when I created the access key for the limited-scope IAM user, but it does look rather complicated (certainly way more complicated than using a access key for a very restricted account)

you wouldn’t use SSO for CI/CD or automated deployments, just human users

I'm running my deployments locally for now, as I am solo dev. trying to grok the difference between these two approaches: • https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html • https://github.com/jaxxstorm/aws-sso-creds I think they would both solve the issue of the browser window being opened beyond the first login

I understand the sso login command would open a new browser window on first go, but after that all session refreshes are done behind the scenes?

You get a session token that expires after a configurable time, you don’t need to do any refresh until the next day. The workflow generally is to login at the start of the day and not worry about it after that

I definitely agree with your article opener - they make the right decision hard.