This message was deleted.

Is that possible even in AWS? If you try to assume a role, doesn't it use your actual login to determine whether or no you're allowed to?

first - it’s possible to do multiple assumes as long as the assumed role has permissions for it. Second - the way i solved was that i used the AWS CLI to do the multiple assumes and passed the credentials to pulumi when I created the provider

@clever-byte-21551 I have a similar use case, where I want to create a role (with an already assumed role), grant policies and then assume to that new role to create some other stuff, all within the same Pulumi program (ideally). If possible, could you share more details on how you achieved this?

@acoustic-leather-88378 I just used the aws sdk to do the multiple assumes and saved the assumed credentials to a file in the format:

[default]
aws_access_key_id = %s
aws_secret_access_key = %s
aws_session_token = %s

In the pulumi provider I supplied it with the path to the file:

p, err := pulumiaws.NewProvider(ctx, "assumedRole", &pulumiaws.ProviderArgs{
   SharedCredentialsFile: pulumi.String(b.awsCredsFilePath),
   Region:                pulumi.String(b.Region),
})

The reason for that is to avoid saving to the state the ephermal credentials (they expire after an hour) the only that is saved to the state is the path to the file which I make sure exists before running the stack.

Thanks @clever-byte-21551. I was looking at other similar solutions around creating multiple providers but your point around state and ephemeral creds makes sense 👍

you might need to split it to a different stack in order for this to work with my solution