Does the Pulumi CLI work directly with temporary credentials that are provided by STS? Or do I need to write something to wrap the credentials that aws`sts assume-role` generates?

@colossal-plastic-46140 Depends. It works using

aws-vault

which sets the temporary credentials in the correct environment variables what the

aws-sdk-go

expects.

Cool thats what I thought, just wanted to doublecheck

If you use the AWS CLI, you best set a named profile in the config file https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html & reference this profile either via

AWS_PROFILE

env or

pulumi config set aws:profile

(see https://www.pulumi.com/docs/get-started/aws/configure/).

perfect thats what I needed

Al of the above works - but note that you can also do something like https://github.com/pulumi/examples/blob/master/aws-ts-assume-role/assume-role/index.ts to directly assume a role without the need for external tools.

Would Pulumi also prompt for the MFA code?