No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

does anyone have thoughts on this? I imagine this is a pretty standard concern for adding pulumi to CI/CD:
<https://github.com/pulumi/pulumi/discussions/15073>

Have you taken a look at Pulumi Deployments (<#C048NVDH6DV|pulumi-deployments>) and ESC (<#C0602S4P4T1|esc>) ?

Both of them have support for generating single use short term credentials per deployment that can be scoped down to a specific AWS role.

I think the devil in the detail here is defining the role policy, rather than assuming the role

e.g. I can't see in either of those solutions mentioned where it maps a resource (for example `aws.eks.Addon` ) to a set of required permissions to provision for the AWS role

A common pattern is to deploy in dev - use IAM Analyzer / Cloudtrail / `iamlive` to show the actual Actions and resources, generate Policy from that.

It is a little surprising in the TF ecosystem there's not a better static analysis way to do this, but AWS makes it difficult.

That would be a nice pattern to be able to automate, and even have the providers publish these themselves
Often I find I've provisioned the right permissions to create/update and then when I go to replace or delete I get a bunch of permission errors

image.png

IAM Analyzer / Cloudtrail is also my recommendation. AWS does make it difficult. S3 in particular is really bad, when you create an S3 bucket you need many other permissions