Context: I've created an aws dynamic provider provider (yes, it's a provider that provides dynamic providers) that interacts with aws sso to guide the user through SSO authentication then obtains temporary keys for the correct account(s) for a stack deployment, meaning they don't need to set up aws cli profiles etc to perform a deployment (which I'll likely release at some point when I've ironed out the kinks). The last piece of the puzzle is to get Pulumi to run some code prior to trying to interact with the state store, so I can make sure the correct auth is in place that would allow it to succeed. Currently from what I can tell, if you have a backend defined for a project/stack, Pulumi will call out to the backend before your Pulumi program code is ran. Since my dynamic auth flow hasn't happened by that point, the user won't have auth for the state store and the request fails. At the moment, my method is to have a wrapper (an npm script) that sets up auth for the state store, allowing Pulumi to run my code and grab auth for the dynamic providers, but it isn't very portable or language-agnostic. Of course the simplest solution is to use Pulumi cloud as the state store, but I'm interested in the rabbit hole 😉

Having done some additional digging, it looks there are multiple kinds of plugins supported, including tool plugins which might be appropriate here. I'm not really seeing any documentation on how Pulumi iac can be made to interact with tool plugins though