I am a bit concerned of setting our AWS tokens (Not root!) on a CI and giving to Pulumi eventually. Is there a way of using 2FA similar to battle.net where on requests to AWS APIs, it would expect approval from a mobile/2fa device?
I’m using Github Actions. So using STS you can request a temporary credential. So I guess it’s not really related to pulumi, but it would be that the CI request temporary credentials, waits for user to generate a token by using MFA/2FA and somehow get that into CI.
Also making sure a lot of users in IAM that aren’t admin can do it.
03/16/2020, 1:35 PM
MFA simply isn't reasonable for CI. We do the same as above. Have a base user setup on the EC2 instances in the build cluster then have a build step that assumes the proper role for that build pipeline. The base user can pretty much just assume roles.