No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

We’re having issues setting up AWS OIDC for an ESC env - details in :thread:

This is our trust relationship:
```{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "<pulumi oidc arn>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "api.pulumi.com/oidc:aud": "aws:<companyname>",
                    "api.pulumi.com/oidc:sub": "pulumi:environments:org:<companyname>:env:<project>/<env>"
                }
            }
        }
    ]
}```
When I try to open the env, I get
```
Error: could not authenticate with AWS.
		Error: 
		Error: Please ensure that your trust relationship is correct
...
InvalidIdentityToken: Incorrect token audience```
the suggested subject/aud in the error message exactly match my Conditions above. the project wasn’t cloned from default or anything like that. any idea why?

For reference: x-pulumi-request-id:4c6d4ad6-a8cb-484c-8e98-7b733236b309

Figured it out: we had to add the aws:&lt;companyname&gt; audience to the allowlist of audiences in the IDP config in IAM.

<@U064M7FUHED> is there anything you would add to the docs that would've helped you resolve this?

The reason the section at the top <https://www.pulumi.com/docs/pulumi-cloud/access-management/oidc/provider/aws/#create-the-identity-provider|of this page >explaining the IDP setup didn’t help was because we set up OIDC before projects (so we only had &lt;org&gt; in our allowlist), so I never went back to the setup section and forgot it that allowlist existed. I think what would be most helpful is just to add to the error message when sts:assumerole fails: “Please ensure that your trust relationship is correct *and that your AWS Identity Provider for Pulumi has the aws:&lt;org&gt; audience configured*”

I was also staring at this section the entire time, so a callout in there as a reminder would probably have pre-empted it <https://www.pulumi.com/docs/pulumi-cloud/access-management/oidc/provider/aws/#pulumi-esc>

That's really helpful feedback thank you!