https://pulumi.com logo
Join Slack
Powered by
This is not really a pulumi question. So the probl...
# general
v
This is not really a pulumi question. So the problem i have is with managing the 
AWS_ACCESS_KEY_ID
and 
AWS_SECRET_ACCESS_KEY
, so I was wondering there anything i can use with pulumi to automatically set those for pulumi stacks?
s
Are you working in multiple accounts?
v
Yes. different account for staging and production
s
You should have either 1 long-lived access key, or, ideally, zero. This article explains current best practices: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way
I recommend trying named profiles. Put config like this in 
~/.aws/config
(This is from the article)
Copy code
[profile personal-management]
sso_start_url = <https://lbrlabs.awsapps.com/start>
sso_region = us-west-2
sso_account_id = <account-id>
sso_role_name = AWSAdministratorAccess
region = us-west-2
output = json
You can put multiple profiles in your AWS config file, and then select them with 
AWS_PROFILE=
. You can also set that profile in your stack config. For configuring the provider, see: https://www.pulumi.com/registry/packages/aws/installation-configuration/#set-up-multiple-profiles
👍 1
And you definitely only want to get short-lived access keys via 
aws sso login
because you probably need full admin, and if those credentials leak somehow (like committing them to git by accident), that's really bad.
v
oh yes. Thank you so much. The informations you have provided are really helpful.
s
You're very welcome! Thank @billowy-army-68599, too for that blog post!
👍 1
v
Yes of course. thank you @billowy-army-68599 for wonderful blog post 🙂
2 Views
Open in Slack
PreviousNext
Powered by