Hey folks, I am interested in evaluating Pulumi for my organization, but have a question surrounding provider credentials. In my ideal workflow I would like to provision a very capable IAM role for Pulumi but prevent those credentials from being used/abused outside of the Pulumi plan/apply workflow. Does anyone know if there is a simple way to provide a remote-run/remote-execute environment for Pulumi? Or any way to shield/hide these powerful provider credentials? Thanks in advance! 🙏

Not within Pulumi. There are probably many AWS-specific solutions. For example, you could provide the permissions only via an assumable role, and put a condition on the assumeRolePolicy for the role that limits it to being assumed only from a single, well-protected EC2 instance.

Broadly I would expect to run the sensitive deployments from my CI build environment and those provide various means to protect secrets/keys for use with build pipelines. Pragmatically its straightforward to run pulumi in Azure DevOps, or Github, or CircleCI - all of which would amount to "remote run" enviornments.