This message was deleted.

Does pulumi have a good way to manage cross-account AWS Secrets Manager secrets?

if you follow the OIDC docs to set up AWS secrets manager support, you can just rinse and repeat for roles on all your accounts, eg

aws:
  acct1:
    fn::open::aws-login:
      oidc:
        roleArn: arn:aws:iam::111111111:role/esc-oidc
        sessionName: pulumi-environments-session
  acct2:
    fn::open::aws-login:
      oidc:
        roleArn: arn:aws:iam::999999999:role/esc-oidc
        sessionName: pulumi-environments-session
  secrets:
    fn::open::aws-secrets:
      region: us-west-1
      login: ${aws.acct1}
      get:
        api-key-acct1:
          secretId: api-key
    fn::open::aws-secrets:
      region: us-west-1
      login: ${aws.acct2}
      get:
        api-key-acct2:
          secretId: api-key

(or you can split into separate envs)