No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Not only: I tried to create a new stack and then destroy it with the very same config (the Pulumi env with oidc) and eveything works fine :confused:

The STS get-caller-identity instruction can't 403 in many cases, as you don't need any actual permissions for that instruction. The only times it can happen are when your temporary credentials aren't valid. So the problem is absolutely with your OIDC and SSO credentials. You can ignore the stuff about JobDefinition: that's probably just _when_ it's happening, not _why_ it's happening.

I would check the provider(s) you're using, and ensure that they're using the credentials that you think they ought to be using. Is it possible that you're renewing credentials that the provider isn't using?

Thanks for the answer, but how can it be that creating a new stack and destroying it works fine?

Timing? Short-term credentials expire. I don't have enough information to debug, I'm just proposing areas of investigation.