This message was deleted.

I figure I might be able to scan an s3 folder, download all the state files, then login local, do my update, and then upload them all back to s3, but is there a better built-in way to go about this?

I think you’re asking about setting up multiple AWS providers.

ah yes, if that is possible and one can be used to store state, and the other as the target account, then that would be sufficient

Yes that is possible

great, thank you - i'll have a look into this, env vars and a deploy provider would be perfect

I posted an example in a previous thread here

As a suggestion for how to do this sort of thing while maintaining your sanity, the

aws.Provider

args have an

assumeRole

property. Which is a little easier to understand and manage, than storing/retrieving different IAM Access keys. It also allows you to ensure that only certain users/roles can deploy the Pulumi stack (e.g. those who can assume the specific role, etc.)

Wow, I didn’t realize you could assume roles across accounts https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

yea, thats what i intend to do.. have another account link our account via a role, and then the CI/CD platform will assume the cross role to deploy, and keep the state files on the CI/CD account