No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I have a security question. What's the recommended practice with AWS to allow for local command-line pulumi usage? I have a dedicated role that I assume in the CI, but I can only assume this role from the runners. What's the recommended approach for command-line, manual intervention (if any)?

You could grant access for your user to assume the role.
I used to use a tool called aws-vault for using roles in profiles locally, it takes care of setting up environment variables and mfa flows

Cloudtail will associate your user with any actions taken for audit purposes

cool thx. Problem is we are several in the team. But maybe we can have a dedicated account for elevation, will check