Is it possible to get unwrapped values in dynamic resource? to avoid the error? or general question is: How do I correctly create AWS SDK client from

aws.Provider

passed to the

pulumi.dynamic.ResourceProvider

class EnableRAOrgSharingProvider implements pulumi.dynamic.ResourceProvider {
    // Implement the necessary methods, in this case, we're only providing a simple 'create' operation.
    public create: (inputs: pulumi.Inputs) => Promise<pulumi.dynamic.CreateResult>;

    constructor(private readonly provider?: aws.Provider) {
        this.create = async (inputs: EnableRAOrgSharingInputs) => {
            const ec2Client = new ec2sdk.EC2Client({
                region: inputs.awsProvider.region,
            // TS2345: Argument of type  [{ region: Output<Region | undefined>; }]  is not assignable to parameter of type  [] | [EC2ClientConfig] 
Type  [{ region: Output<Region | undefined>; }]  is not assignable to type  [EC2ClientConfig] 
            });

You probably don't want a future-Region. If this is passed in from config, would you be able to unwrap the Input to a string? With type checking, you can throw an error if it's a Promise or an Output, and continue only if it's a non-undefined string. Alternatively you could construct the client inside each preview/up, rather than at construction time. This would save resources; just need to worry about how expensive it is to construct a client.

The future region is not a problem - that can be an

Input

. The problem is with the rest of the parameters eg.

AccessKeyId

,

SecretAccessKey

because they are only available after the role assumption. I want to pass in a dedicated AWS provider for the resources and create a client from its credentials.

I'm afraid I don't know. In all my use cases, role assumption for use by Pulumi happens before Pulumi is invoked. I work on the theory that if I give Pulumi the necessary credentials to assume a role, then it will use the original credentials for evil and not tell me (I may be exaggerating for effect, here). Following the principle of least privilege, Pulumi should have only the powers to do its work, at all times. The power to assume the role it needs to do its work can be reserved for different tools (e.g. .credentials,

aws sso

, or similar).

@great-sunset-355

I want to pass in a dedicated AWS provider for the resources and create a client from its credentials.

You can assume a role using the AWS SDK too, so you don't have to pass in a Pulumi AWS provider object. Instead, just pass the role ARN, then execute an assume role action using the client within the dynamic provider. Also re: the region input value, not sure if you know this already but the dynamic provider's methods will get unwrapped values of the dynamic resource's inputs at runtime. So you just need to declare a version of the inputs interface you are using that uses primitive types. For example, see https://github.com/pulumi/examples/blob/master/classic-azure-ts-dynamicresource/cdnCustomDomain.ts#L29.