No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

you’d use a condition key with the org ID:
<https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid>

however, you likely don’t want to do this because you generally want to restrict access to secrets based on the IAM role

if you only use a condition key it allows access from all IAM roles

So I _think_ AWS doesn't support using that condition key on secrets. And your answer explains why that probably is. Super helpful. Thank you!