This message was deleted.

sparse-intern-71089

11/24/2021, 4:25 PM

This message was deleted.

rapid-raincoat-36492

11/24/2021, 4:34 PM

My strategy that has worked pretty well with `aws sso`: • Unless specifying a different provider region, just use the default AWS providers • To deploy under a separate IAM role, run something like

AWS_PROFILE=staging pulumi up

, where

staging

is a role in the

~/.aws/config

file • On CI, you just need to assume whatever AWS role you need before running any Pulumi commands and the auth works there too

rapid-raincoat-36492

11/24/2021, 4:35 PM

^ This also works well with

aws-vault

if you use that to manage local credentials

little-cartoon-10569

11/24/2021, 7:55 PM

Note that AWS SSO is specifically intended for interactive logins, and there are alternative techniques better suited for use by headless / service user logins. I found this out at the cost of several days' work recently when trying to get AWS SSO + GitHub pipelines to work with various stale hacks I found laying around the place. Dropping SSO in favour of AWS' recent support for GitHub's OIDC service was the correct solution in this case.

many-salesmen-89069

11/25/2021, 10:10 AM

Thanks for the answers!

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.