Hmm, is there a way to use STS or assume role instead of a pretty permissive Role with access token for CI? It would be cool to support https://github.com/99designs/aws-vault

Yep - Pulumi should already work with that tool.

You sure? Because it no longer uses the access token in .aws/ etc.

I haven’t tried it myself - but it sets the environment variables that Pulumi reads: https://github.com/99designs/aws-vault/blob/master/README.md#security.

Right, so our CI would have to execute aws-vault before running pulumi up. I wonder how that works with Github Actions.