After further investigation, it appears to be looking for the SSO cached creds in the wrong file. (e.g. ...\.aws\sso\cache\8c949bbb2b27179c4e6e5d24c11b8bb3ada23a2a.json ). However, that file doesn't exist. When I manually create that file, all works fine. Any idea where it's getting the name of the cache file from?
I've tried reinstalling the pulumi cli, aws cli and rebooting. For some reason it keeps looking for this exact same cache file every time.
The aws cli works fine
Found that it has to do with the use of a profile and sso-session in the .aws/config file. When a profile is pointing at an sso-session, the AWS CLI will generate a SSO cache file with a filename that matches the sha1 of the sso-session name. However, if no sso-sessoin is used in in the .aws/config file, the sha1 of the sso_start_url is used instead.
Maybe this logic changed recently and the pulumi dependencies haven't caught up?