https://pulumi.com logo
#aws
Title
c

colossal-plastic-46140

02/21/2020, 4:06 PM
Does the Pulumi CLI work directly with temporary credentials that are provided by STS? Or do I need to write something to wrap the credentials that aws`sts assume-role` generates?
s

stocky-island-3676

02/21/2020, 4:14 PM
@colossal-plastic-46140 Depends. It works using
aws-vault
which sets the temporary credentials in the correct environment variables what the
aws-sdk-go
expects.
c

colossal-plastic-46140

02/21/2020, 4:17 PM
Cool thats what I thought, just wanted to doublecheck
s

stocky-island-3676

02/21/2020, 4:18 PM
If you use the AWS CLI, you best set a named profile in the config file https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html & reference this profile either via
AWS_PROFILE
env or
pulumi config set aws:profile
(see https://www.pulumi.com/docs/get-started/aws/configure/).
The JSON output from
aws sts assume-role
must be put in the correct environment variables, though: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
c

colossal-plastic-46140

02/21/2020, 4:29 PM
perfect thats what I needed
w

white-balloon-205

02/22/2020, 2:52 AM
Al of the above works - but note that you can also do something like https://github.com/pulumi/examples/blob/master/aws-ts-assume-role/assume-role/index.ts to directly assume a role without the need for external tools.
s

stocky-island-3676

02/27/2020, 7:48 PM
Would Pulumi also prompt for the MFA code?