No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

from here: <https://www.pulumi.com/docs/pulumi-cloud/oidc/aws/>

does this:
&gt; The steps in this guide will work for Pulumi ESC if you use the following syntax instead:
&gt; 
&gt; pulumi:environments:org:contoso:env:&lt;yaml&gt;
&gt; 
&gt; Make sure to replace contoso with the name of your Pulumi organization and use the literal value of &lt;yaml&gt; as shown above.
mean literally put `pulumi:environments:org:contoso:env:&lt;yaml&gt;` verbatim, as in with “&lt;yaml&gt;” not replaced with anything, as the subject condition in the trust policy?

A quick FYI on this...

As I recall, I found that, the `pulumi:environments:org:[myorg]:env:&lt;yaml&gt;` was needed for IAC to access the secrets via OIDC (in my case GCP Secret Manager secrets). However, the Pulumi ESC web console could not access them unless I *also* provided `pulumi:environments:org:[myorg]:env:dev`  subject