No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi, I’m looking for best practices on using Pulumi on dev machines with temporary AWS credentials (specifically, I’m using temp credentials via aws ccli sso login). Any pointers would be appreciated :pray:

My strategy that has worked pretty well with `aws sso`:
• Unless specifying a different provider region, just use the default AWS providers
• To deploy under a separate IAM role, run something like `AWS_PROFILE=staging pulumi up`, where `staging` is a role in the `~/.aws/config` file
• On CI, you just need to assume whatever AWS role you need before running any Pulumi commands and the auth works there too

^ This also works well with `aws-vault` if you use that to manage local credentials

Note that AWS SSO is specifically intended for interactive logins, and there are alternative techniques better suited for use by headless / service user logins. I found this out at the cost of several days' work recently when trying to get AWS SSO + GitHub pipelines to work with various stale hacks I found laying around the place. Dropping SSO in favour of AWS' recent support for GitHub's OIDC service was the correct solution in this case.