https://pulumi.com logo
Title
m

many-salesmen-89069

11/24/2021, 4:25 PM
Hi, I’m looking for best practices on using Pulumi on dev machines with temporary AWS credentials (specifically, I’m using temp credentials via aws ccli sso login). Any pointers would be appreciated 🙏
r

rapid-raincoat-36492

11/24/2021, 4:34 PM
My strategy that has worked pretty well with `aws sso`: • Unless specifying a different provider region, just use the default AWS providers • To deploy under a separate IAM role, run something like
AWS_PROFILE=staging pulumi up
, where
staging
is a role in the
~/.aws/config
file • On CI, you just need to assume whatever AWS role you need before running any Pulumi commands and the auth works there too
^ This also works well with
aws-vault
if you use that to manage local credentials
l

little-cartoon-10569

11/24/2021, 7:55 PM
Note that AWS SSO is specifically intended for interactive logins, and there are alternative techniques better suited for use by headless / service user logins. I found this out at the cost of several days' work recently when trying to get AWS SSO + GitHub pipelines to work with various stale hacks I found laying around the place. Dropping SSO in favour of AWS' recent support for GitHub's OIDC service was the correct solution in this case.
m

many-salesmen-89069

11/25/2021, 10:10 AM
Thanks for the answers!