Hi, I’m looking for best practices on using Pulumi on dev machines with temporary AWS credentials (specifically, I’m using temp credentials via aws ccli sso login). Any pointers would be appreciated 🙏

My strategy that has worked pretty well with `aws sso`: • Unless specifying a different provider region, just use the default AWS providers • To deploy under a separate IAM role, run something like

AWS_PROFILE=staging pulumi up

, where

staging

is a role in the

~/.aws/config

file • On CI, you just need to assume whatever AWS role you need before running any Pulumi commands and the auth works there too

Note that AWS SSO is specifically intended for interactive logins, and there are alternative techniques better suited for use by headless / service user logins. I found this out at the cost of several days' work recently when trying to get AWS SSO + GitHub pipelines to work with various stale hacks I found laying around the place. Dropping SSO in favour of AWS' recent support for GitHub's OIDC service was the correct solution in this case.

Thanks for the answers!