I am a bit concerned of setting our AWS tokens (Not root!) on a CI and giving to Pulumi eventually. Is there a way of using 2FA similar to battle.net where on requests to AWS APIs, it would expect approval from a mobile/2fa device?

@flat-insurance-25294 which CI are you using? For something I run myself, I usually run my jobs on EC2 hosts or containers that use IAM roles: • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html • https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html • https://aws.amazon.com/about-aws/whats-new/2019/09/amazon-eks-adds-support-to-assign-iam-permissions-to-kubernetes-service-accounts/

I’m using Github Actions. So using STS you can request a temporary credential. So I guess it’s not really related to pulumi, but it would be that the CI request temporary credentials, waits for user to generate a token by using MFA/2FA and somehow get that into CI. Also making sure a lot of users in IAM that aren’t admin can do it.

MFA simply isn't reasonable for CI. We do the same as above. Have a base user setup on the EC2 instances in the build cluster then have a build step that assumes the proper role for that build pipeline. The base user can pretty much just assume roles.