Hey folks, I'm having some issues trying to set up Deployments with AWS OIDC. I've verified that the OIDC IdP and Audience is set correctly, and the OIDC flow does indeed return both keys and session token (I've `echo`ed out all three as part of a preview deployment run), but when it comes to the preview it fails with the following:

Error: Preview failed: error: getting stack configuration: get stack secrets manager: operation error KMS: Decrypt, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded

The IAM Role associated with the OIDC config and audience has admin privs across the whole AWS account. Our stack config uses KMS as a secrets provider. The stack config is configured to use an AWS profile thus:

awskms://alias/pulumi?region=eu-west-1&profile=<profile>&awssdk=v2

but I'm overriding that in the Deployment config with the mapping

secretsprovider: <awskms://alias/pulumi?region=eu-west-1>

(at least I'm assuming that's overriding it). I've also verified that the KMS key has a policy attached to it that allows access from the whole AWS account. Anyone have any ideas what I'm doing wrong?

but I'm overriding that in the Deployment config with the mapping

what's the command you're using to do this? and does the config you expect show up in the stack update?

Thanks for the reply Komal. I've managed to get around this by writing out the returned creds from the OIDC flow to a local AWS config file under a profile name.