No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hey there, is there any example on how to deal with multiple aws accounts and multiple user identities?

personally i separate this out of pulumi and use aws-vault

e.g. `aws-vault exec profile_name -- pulumi up`

generally I wrap this into a script, and then just do npm run up

I didn’t come across `aws-vault` yet, thanks for sharing, definitely will look into it.

<@UPBPVT223> This might interest you, it's a draft from a still unpublished blog post of mine: <https://gist.github.com/Sodki/95b04ee9f4f44ed81de23b0cff3a4685>

I'm not sure if it's what you're looking for, <@UPBPVT223>, but we have different AWS accounts for eg. dev / test / prod environments, and I simply handle that so far by having each environment be a stack, with the following contents of the `Pulumi.&lt;stack&gt;.yaml` file:

```config:
  aws:profile: OUR_TEST_ENV_PROFILE
  aws:region: THE_REGION```
..and then all of us have profiles in `~/.aws/` for each of our environments, named the same (using a `company-dept-env` pattern).

To be clear, *my* dev / test / prod profiles use *my own* credentials for each of the accounts, etc.

<@U017XMBRMEF>, that’s actually what I’ve been doing so far myself. However, now I’m thinking to get rid of multiple “pulumi” IAM users that spread across multiple AWS Accounts in favour of IAM roles. The idea now is to centralise identities in a single AWS Account.

Ahh ok.. yeah, we've been considering that too, but with a small team of 2-3 persons needing account access, it's not been painful enough to care about yet :joy:

But does that really change anything? I thought you could set up assume role config for the profile instead, and just "keep going" as usual.

I think in my case I’ve more AWS Accounts than people accessing them, so to me it seems reasonable to make it a little bit more DRY and stop creating “pulumi-user” every time there is a new AWS Account.

Yeah, we just have a static set of 4 accounts.. one of which is "deprecated" and we're migrating away from, and another (dev) that's barely used.

&gt; But does that really change anything? I thought you could set up assume role config for the profile instead, and just “keep going” as usual.
I’m not sure yet, that’s why asking here for some real-world examples, curious to see how people tackle this problem.
I think Henrique shared a really good material, I’m looking forward to read the final post.

Yeah, I had a quick look too -- great to see stuff like this to get ideas for future development :slightly_smiling_face: