No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

<@URL887LHH> which CI are you using? For something I run myself, I usually run my jobs on EC2 hosts or containers that use IAM roles:
• <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html>
• <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html>
• <https://aws.amazon.com/about-aws/whats-new/2019/09/amazon-eks-adds-support-to-assign-iam-permissions-to-kubernetes-service-accounts/>

I’m using Github Actions. So using STS you can request a temporary credential. So I guess it’s not really related to pulumi, but it would be that the CI request temporary credentials, waits for user to generate a token by using MFA/2FA and somehow get that into CI.

Also making sure a lot of users in IAM that aren’t admin can do it.

MFA simply isn't reasonable for CI. We do the same as above. Have a base user setup on the EC2 instances in the build cluster then have a build step that assumes the proper role for that build pipeline. The base user can pretty much just assume roles.