Hello all! Been chasing an issue for a bit now... Attempting to use dynamic login credentials with ESC and AWS OIDC

# enterprise-role-creation/aws
values:
  aws:
    region: us-east-2
    login:
      fn::open::aws-login:
        oidc:
          duration: 1h
          roleArn: arn:aws:iam::<account>:role/enterprise-role-creation
          sessionName: pulumi-environments-session
  environmentVariables:
    AWS_ACCESS_KEY_ID: ${aws.login.accessKeyId}
    AWS_SECRET_ACCESS_KEY: ${aws.login.secretAccessKey}
    AWS_SESSION_TOKEN: ${aws.login.sessionToken}
    AWS_REGION: us-east-2

running

pulumi env open enterprise-role-creation/dev

works as expected

{
  "aws": {
    "login": {
      "accessKeyId": "<redacted>",
      "secretAccessKey": "<redacted>",
      "sessionToken": <redacted>"
    },
    "region": "us-east-2"
  }
}

for the stack config

environment:
  - enterprise-role-creation/dev

and IAM Trust Policy (limiting both the stack and environment)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<account>:oidc-provider/api.pulumi.com/oidc"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "api.pulumi.com/oidc:sub": "pulumi:deploy:org:pacificfusion:project:enterprise-role-creation:dev",
          "api.pulumi.com/oidc:aud": "aws:pacificfusion"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<account>:oidc-provider/api.pulumi.com/oidc"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "api.pulumi.com/oidc:sub": "pulumi:environments:org:pacificfusion:env:enterprise-role-creation/dev",
          "api.pulumi.com/oidc:aud": "aws:pacificfusion"
        }
      }
    }
  ]
}

when running

pulumi preview --stack dev

, receive

error: getting stack configuration: opening environment: [0] 
Diags: could not authenticate with AWS.

Please ensure that your trust relationship is correct.
Subject: "pulumi:environments:org:pacificfusion:env:<yaml>"
Audience: "aws:pacificfusion"

WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
        status code: 403, request id: d69607e2-d3f3-4c6e-bf41-12905268f6c9

but if I open up the Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<account>:oidc-provider/api.pulumi.com/oidc"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "api.pulumi.com/oidc:aud": "aws:pacificfusion"
        }
      }
    }
  ]
}

the

pulumi preview

command works fine There is obviously some mismatch in my environment (and the resulting 'sub' in the OIDC request) that isn't matching what is in the Trust policy for environments this line doesn't seem to be resolving the actual environment name

`Subject: "pulumi:environments:org:pacificfusion:env:<yaml>"

based on error feedback what am I missing in the pulumi environment file and/or the Trust Policy to allow limiting role assumption to the specific stack and environment??