Hello, What is the best way to configure and run the stacks in different AWS accounts for each environment while having pulumi state stored at S3 only in the main AWS account?

I'm pretty new at this myself, however, we recently came across using AWS account profiles in our Pulumi code...we used this:

aws_provider = pulumi_aws.Provider("aws-provider",
                            profile=self.aws_profile,
                            region=self.aws_region
        )

where

self.aws_profile

was pulled from our Pulumi.dev.yaml as the named profile (i.e.

sfenman

if you were using your profile) Then with regards to only saving the state in S3 for the main account, that will require you to do a little coding with a conditional based on if the account is the main account In python, that would be: (from what I posted in #kubernetes yesterday) -- you'll need to add the conditional logic for only

main

bucket = pulumi_aws.s3.get_bucket("my_bucket_name")
        source = self.cluster.kubeconfig.apply(lambda s: pulumi.asset.StringAsset(json.dumps(s)))
        filename = f'{self.env_stack}-kubeconfig'
        pulumi_aws.s3.BucketObject(resource_name=filename,
            bucket=bucket.id,
            key=f'some/sub_dir/{filename}',
            source=source
        )

the s3 bucket auth is separate to the provider code, so you can set

AWS_PROFILE

(or

AWS_KEY

etc) and then set

aws:profile

in your stack config