https://pulumi.com logo
Title
f

flat-insurance-25294

03/13/2020, 11:14 AM
I am a bit concerned of setting our AWS tokens (Not root!) on a CI and giving to Pulumi eventually. Is there a way of using 2FA similar to battle.net where on requests to AWS APIs, it would expect approval from a mobile/2fa device?
l

limited-rainbow-51650

03/13/2020, 1:04 PM
f

flat-insurance-25294

03/13/2020, 1:05 PM
I’m using Github Actions. So using STS you can request a temporary credential. So I guess it’s not really related to pulumi, but it would be that the CI request temporary credentials, waits for user to generate a token by using MFA/2FA and somehow get that into CI. Also making sure a lot of users in IAM that aren’t admin can do it.
i

incalculable-engineer-92975

03/16/2020, 1:35 PM
MFA simply isn't reasonable for CI. We do the same as above. Have a base user setup on the EC2 instances in the build cluster then have a build step that assumes the proper role for that build pipeline. The base user can pretty much just assume roles.