https://pulumi.com logo
#aws
Title
i

icy-controller-6092

07/06/2023, 6:23 AM
are there any guides on creating an IAM user to be used with pulumi CLI? it's hard to find because there is so much other content about using pulumi to manage IAM resources
b

billowy-army-68599

07/06/2023, 2:56 PM
@icy-controller-6092 are you talking about the iam user with perms to use pulumi?
i

icy-controller-6092

07/06/2023, 11:28 PM
b

billowy-army-68599

07/06/2023, 11:35 PM
you likely don’t want an IAM user really, it’s not the ideal way. I wrote a blog post here on the how to auth to AWS the right way: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way the tl;dr is, for CI/CD - use OIDC for human users, use SSO If you don’t want to do that, you can define an IAM user and create credentials for it like this: https://github.com/jaxxstorm/pulumi-examples/blob/542cb445791885e0f53cf834fcd95b613d900139/typescript/aws/assume_role/index.ts#L5
i

icy-controller-6092

07/06/2023, 11:55 PM
ah thanks, AWS did try to tell me about SSO when I created the access key for the limited-scope IAM user, but it does look rather complicated (certainly way more complicated than using a access key for a very restricted account)
I'll give your article a try, I understand the sso login command would open a new browser window on first go, but after that all session refreshes are done behind the scenes? which I would need because I automate the deployment and wouldn't want a browser window to popup whenever I try to deploy
b

billowy-army-68599

07/06/2023, 11:59 PM
you wouldn’t use SSO for CI/CD or automated deployments, just human users
so you wouldn’t need the browser window
i

icy-controller-6092

07/07/2023, 12:00 AM
I'm running my deployments locally for now, as I am solo dev. trying to grok the difference between these two approaches: • https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.htmlhttps://github.com/jaxxstorm/aws-sso-creds I think they would both solve the issue of the browser window being opened beyond the first login
b

billowy-army-68599

07/07/2023, 12:01 AM
I understand the sso login command would open a new browser window on first go, but after that all session refreshes are done behind the scenes?
You get a session token that expires after a configurable time, you don’t need to do any refresh until the next day. The workflow generally is to login at the start of the day and not worry about it after that
aws-sso-creds is just a tool to automate retrieving credentials from an SSO session
i

icy-controller-6092

07/07/2023, 12:02 AM
I definitely agree with your article opener - they make the right decision hard.
I'm just going to keep using the access key for my IAM user, I've given it very little permissions so the effort to learn SSO etc doesn't seem worth it