Any best practices with using AWS SSO and pulumi? I've been successfully using it plus https://github.com/jaxxstorm/aws-sso-creds to get the hiring AWS environment variables for pulumi. However recently I needed to work with multiple AWS accounts in one pulumi stack. I created a second AWS.Provider using different environment variables (again supplied by aws-sso-creds). This worked fine but feels ineligent. Also had the side effect of updating the Pulumi.stackname.yaml with these (now encrypted) short loved creds, which means unnecessary git handling. What's the best practice here?

oh hai, I wrote that tool 👋 Generally, you shouldn’t actually need aws-sso-creds anymore unless you’re doing something specific that requires the credentials. The AWS SDK in pulumi supports just using credentials via AWS SSO. Generally, you shouldn’t really ever need to store credentials in your stack yaml. You might try reading this to get a better idea of the right time to use each credentials option: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way

at SurrealDB I implemented a cool solution using Pulumi ESC. Maybe I could write about it. Basically we generate the awsConfig based on the accounts we manage with Pulumi, and then I use that content inside ESC to populate a temporary ~/.aws/config file. Very elegant IMO, considering all the extra scripting required in the past.

If the various accounts you need to work with are all using a single IAM identity centre (which is the normal case if they're all in the same AWS Organization) then you can create multiple profiles using a single sso_session which validates to that identity centre. Logging into one profile via

aws sso login

means that all the profiles log in at the same time, and you can create a Pulumi aws.Provider for each profile, giving you access to each account via the one identity centre.

So I'd set up

aws.Provider

w/

access_key

/

secret_key

/

token

- and you're saying had I just omitted those then things would have 'just worked'. Feeling foolish if that's the case, let's go check it out.

The AWS provider supports SSO. The process is: • Set up profiles and sso_session according to the AWS docs. • Set up your aws.Provider using the profile and nothing else. • Use the SSO URL in a web browser to log in, or use the profile with

aws sso login

and follow the directions in your console. • Run

pulumi up

and enjoy 🙂

Yep. Removed three lines of unnecessary kwargs from my

aws.Povider

and boom, the magic I was hoping for. Thanks everyone here! That really isn't in any of the docs - is there a place to provide feedback?

AFAIK Pulumi wants to provide their OIDC integration with AWS

OIDC is different. It's not intended for user access. SSO is used by developers; OIDC is for use in CD pipelines or similar.