Sounds like the issue is the "hard limit" of the 1 hour situation. I'd work to get that fixed first, but past that, theres no way for pulumi to check your session and send a request to some outside system asking for a refresh? Wont happen.. so, what you should try is see what happens if you manually update the role variables during execution of pulumi. My guess is that you'll want to use some type of side process that is checking the creds and refreshing them as needed. Or maybe, you use a script to get temp creds, write them to a file, and update that file. Something like that. Pulumi uses the terraform providers, and those make a bunch of individual calls so your question about a single asynchronous call is not likely to happen, unfortunately.