https://pulumi.com logo
#esc
Title
# esc
g

gifted-balloon-26385

12/13/2023, 7:07 AM
from here: https://www.pulumi.com/docs/pulumi-cloud/oidc/aws/ does this:
The steps in this guide will work for Pulumi ESC if you use the following syntax instead:
pulumienvironmentsorgcontosoenv:<yaml>
Make sure to replace contoso with the name of your Pulumi organization and use the literal value of <yaml> as shown above.
mean literally put
pulumi:environments:org:contoso:env:<yaml>
verbatim, as in with “<yaml>” not replaced with anything, as the subject condition in the trust policy?
r

red-match-15116

12/13/2023, 3:24 PM
Yes, correct.
s

sparse-apartment-71989

02/19/2024, 3:35 PM
A quick FYI on this... As I recall, I found that, the
pulumi:environments:org:[myorg]:env:<yaml>
was needed for IAC to access the secrets via OIDC (in my case GCP Secret Manager secrets). However, the Pulumi ESC web console could not access them unless I also provided
pulumi:environments:org:[myorg]:env:dev
subject