https://pulumi.com logo
Powered by
#general
Title
# general
v

victorious-dusk-75271

09/13/2022, 4:06 AM
This is not really a pulumi question. So the problem i have is with managing the 
AWS_ACCESS_KEY_ID
and 
AWS_SECRET_ACCESS_KEY
, so I was wondering there anything i can use with pulumi to automatically set those for pulumi stacks?
s

stocky-restaurant-98004

09/13/2022, 1:38 PM
Are you working in multiple accounts?
v

victorious-dusk-75271

09/13/2022, 1:39 PM
Yes. different account for staging and production
s

stocky-restaurant-98004

09/13/2022, 1:40 PM
You should have either 1 long-lived access key, or, ideally, zero. This article explains current best practices: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way
I recommend trying named profiles. Put config like this in 
~/.aws/config
(This is from the article)
Copy code
[profile personal-management]
sso_start_url = <https://lbrlabs.awsapps.com/start>
sso_region = us-west-2
sso_account_id = <account-id>
sso_role_name = AWSAdministratorAccess
region = us-west-2
output = json
You can put multiple profiles in your AWS config file, and then select them with 
AWS_PROFILE=
. You can also set that profile in your stack config. For configuring the provider, see: https://www.pulumi.com/registry/packages/aws/installation-configuration/#set-up-multiple-profiles
👍 1
And you definitely only want to get short-lived access keys via 
aws sso login
because you probably need full admin, and if those credentials leak somehow (like committing them to git by accident), that's really bad.
v

victorious-dusk-75271

09/13/2022, 1:49 PM
oh yes. Thank you so much. The informations you have provided are really helpful.
s

stocky-restaurant-98004

09/13/2022, 1:51 PM
You're very welcome! Thank @billowy-army-68599, too for that blog post!
👍 1
v

victorious-dusk-75271

09/13/2022, 1:54 PM
Yes of course. thank you @billowy-army-68599 for wonderful blog post 🙂
2 Views
Powered by