https://pulumi.com logo
#general
Title
# general
b

breezy-judge-31680

02/15/2024, 6:44 AM
Any best practices with using AWS SSO and pulumi? I've been successfully using it plus https://github.com/jaxxstorm/aws-sso-creds to get the hiring AWS environment variables for pulumi. However recently I needed to work with multiple AWS accounts in one pulumi stack. I created a second AWS.Provider using different environment variables (again supplied by aws-sso-creds). This worked fine but feels ineligent. Also had the side effect of updating the Pulumi.stackname.yaml with these (now encrypted) short loved creds, which means unnecessary git handling. What's the best practice here?
b

billowy-army-68599

02/15/2024, 7:05 AM
oh hai, I wrote that tool 👋 Generally, you shouldn’t actually need aws-sso-creds anymore unless you’re doing something specific that requires the credentials. The AWS SDK in pulumi supports just using credentials via AWS SSO. Generally, you shouldn’t really ever need to store credentials in your stack yaml. You might try reading this to get a better idea of the right time to use each credentials option: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way
f

famous-energy-3397

02/15/2024, 3:12 PM
at SurrealDB I implemented a cool solution using Pulumi ESC. Maybe I could write about it. Basically we generate the awsConfig based on the accounts we manage with Pulumi, and then I use that content inside ESC to populate a temporary ~/.aws/config file. Very elegant IMO, considering all the extra scripting required in the past.
l

little-cartoon-10569

02/15/2024, 6:53 PM
If the various accounts you need to work with are all using a single IAM identity centre (which is the normal case if they're all in the same AWS Organization) then you can create multiple profiles using a single sso_session which validates to that identity centre. Logging into one profile via
aws sso login
means that all the profiles log in at the same time, and you can create a Pulumi aws.Provider for each profile, giving you access to each account via the one identity centre.
AWS credentials file snippet
b

breezy-judge-31680

02/15/2024, 10:49 PM
So I'd set up
aws.Provider
w/
access_key
/
secret_key
/
token
- and you're saying had I just omitted those then things would have 'just worked'. Feeling foolish if that's the case, let's go check it out.
l

little-cartoon-10569

02/15/2024, 10:53 PM
The AWS provider supports SSO. The process is: • Set up profiles and sso_session according to the AWS docs. • Set up your aws.Provider using the profile and nothing else. • Use the SSO URL in a web browser to log in, or use the profile with
aws sso login
and follow the directions in your console. • Run
pulumi up
and enjoy 🙂
b

breezy-judge-31680

02/16/2024, 7:11 AM
Yep. Removed three lines of unnecessary kwargs from my
aws.Povider
and boom, the magic I was hoping for. Thanks everyone here! That really isn't in any of the docs - is there a place to provide feedback?
f

famous-energy-3397

02/21/2024, 9:23 AM
AFAIK Pulumi wants to provide their OIDC integration with AWS
l

little-cartoon-10569

02/21/2024, 6:33 PM
OIDC is different. It's not intended for user access. SSO is used by developers; OIDC is for use in CD pipelines or similar.
7 Views