Hii, I’m facing an issue with integrating Pulumi Cloud environments and AWS Secrets Manager. I’ll explain the problem in detail, and if you have any questions, feel free to ask. Current Setup Environment Configuration: In Pulumi Cloud under the environments section, I integrated AWS Secrets Manager using the following configuration:

values:
  aws:
    login:
      fn::open::aws-login:
        oidc:
          duration: 1h
          roleArn: arn:aws:iam::321543719502:role/pulumi-esc-oidc-role
          sessionName: pulumi-environments-session
          subjectAttributes:
            - currentEnvironment.name
            - pulumi.user.login
    secrets:
      fn::open::aws-secrets:
        region: us-east-1
        login: ${aws.login}
        get:
          secret_data_password:
            secretId: /dev/aetn.pulumi.templates/secret_data_password
          secret_data_username:
            secretId: /dev/aetn.pulumi.templates/secret_data_username
  environmentVariables:
    AWS_ACCESS_KEY_ID: ${aws.login.accessKeyId}
    AWS_SECRET_ACCESS_KEY: ${aws.login.secretAccessKey}
    AWS_SESSION_TOKEN: ${aws.login.sessionToken}
    SECRET_DATA_PASSWORD: ${aws.secrets.secret_data_password}
    SECRET_DATA_USERNAME: ${aws.secrets.secret_data_username}
  pulumiConfig:
    SECRET_DATA_PASSWORD: ${aws.secrets.secret_data_password}
    SECRET_DATA_USERNAME: ${aws.secrets.secret_data_username}

Role Permissions: The

pulumi-esc-oidc-role

IAM role has permissions to fetch secrets from AWS Secrets Manager, and the integration works perfectly. I can test it using the Pulumi CLI:

pulumi env open test/templates/dev-environment

This command successfully retrieves the secrets (

secret_data_password

and

secret_data_username

) defined in the environment. Integration with Pulumi Code: I added the environment in my Pulumi YAML configuration:

environment:
  - templates/dev-environment

This allows me to retrieve the secrets directly in my Pulumi code. The Problem When the

aws-login

session is established via the environment configuration, it overrides my local AWS session (set up using

aws configure

). This is problematic because the OIDC role (

pulumi-esc-oidc-role

) only has permissions to fetch secrets but lacks the permissions required to provision other AWS resources, such as referencing the EKS stack. What I’ve Tried Option 1: Grant Full Admin Permissions to the OIDC Role This works for most resources but fails when referencing the EKS stack. Even if it worked, granting full admin permissions to the role is not a valid solution because it would allow everyone with access to this environment to manage everything in the AWS account. Option 2: Use Direct AWS Credentials in the Environment I modified the environment configuration to use AWS credentials of a user with full admin permissions:

values:
  aws:
    login:
      accessKeyId: MY_ACCESS_KEY
      secretAccessKey: MY_SECRET_KEY
    secrets:
      fn::open::aws-secrets:
        region: us-east-1
        login: ${aws.login}
        get:
          secret_data_password:
            secretId: /dev/aetn.pulumi.templates/secret_data_password
          secret_data_username:
            secretId: /dev/aetn.pulumi.templates/secret_data_username
  environmentVariables:
    AWS_ACCESS_KEY_ID: ${aws.login.accessKeyId}
    AWS_SECRET_ACCESS_KEY: ${aws.login.secretAccessKey}
    AWS_SESSION_TOKEN: null
    SECRET_DATA_PASSWORD: ${aws.secrets.secret_data_password}
    SECRET_DATA_USERNAME: ${aws.secrets.secret_data_username}

This successfully retrieves the secrets and provisions all resources in the stack. However, it is not a valid solution because: • The credentials belong to a user with full admin permissions, exposing them to anyone with access to Pulumi Cloud. • The credentials are hardcoded into the environment configuration. Option 3: Use Pulumi Secrets to Securely Pass AWS Credentials Pulumi secrets allow securely encrypting and storing sensitive values in YAML files. However, this approach doesn’t work in the environment configuration because Pulumi secrets are only usable within the Pulumi code (

index.ts

) and cannot be referenced directly in environments. Valid Solution Needed The most valid approach would be to retain the original integration where: 1. The OIDC role (

pulumi-esc-oidc-role

) is used exclusively for fetching secrets from AWS Secrets Manager. 2. My local AWS session (set up with

aws configure

) is used for provisioning the rest of the resources in the stack. However, the current issue is that the session established via the Pulumi environment overrides my local session, preventing me from provisioning resources. Is there a way to switch back to my local AWS session after retrieving the secrets, ensuring that both sessions can coexist during the stack deployment?

@lemon-napkin-29230 you should be able to use your local session if you just don't define the environment variables with the aws credentials. Only use it for passing into the secrets provider, but don't add it to

environmentVariables

at the end.

@lemon-napkin-29230 Did Komal's answer fix your issue?

yep, thanks so muchhhh