This message was deleted.

hey Tony! I could be wrong, but i think there's a typo here?

[dev-pulumi]
aws_access_key_id = redacted
aws_secret_access_key = redacted

[profile dev-pulumi]
source_profile = dev_pulumi
role_arn = arn:aws:iam::redacted:role/redacted-TEMP

well that's horribly embarassing

glad it was simple!

well maybe not... just realized in testing I created a user out of scope in the dev account to test that it worked and it worked with the user/role being in the same account. When I switch the awsprofile in the Pulumi.dev.yaml to just

dev

file it fails with

error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration

i'm not totally sure of the answer to that, it seems you're using profiles in a fairly unique way and I'm unfortunately not familiar with it - ultimately Pulumi will use the profile if it's set up correctly, it uses the AWS GO SDK

@purple-orange-91853 Check the Pulumi section here, maybe it will help: https://gist.github.com/Sodki/95b04ee9f4f44ed81de23b0cff3a4685

for context I am using the standard method by AWS to authenticate against different accounts. The roles and policies are configured correctly as I can switch via the AWS CLI and have access to the correct resources when using

--profile

in my cli strings. See

Example scenario: Allow an instance profile role to switch to a role in another account

in this AWS doc for reference. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html

@purple-orange-91853 it might be easier to jump on a call to get this configured, can you grab some time from here for next week? https://calendly.com/d/mxtb-bs7b/30-minute-meeting