No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Not within Pulumi. There are probably many AWS-specific solutions. For example, you could provide the permissions only via an assumable role, and put a condition on the assumeRolePolicy for the role that limits it to being assumed only from a single, well-protected EC2 instance.

Generally, the security around access keys and secrets are considered enough for most use cases. If you need additional security in depth, then AWS allows access to roles to be restricted in lots of ways, including source IP address, MFA, account of assuming user, etc...

Broadly I would expect to run the sensitive deployments from my CI build environment and those provide various means to protect secrets/keys for use with build pipelines.

Pragmatically its straightforward to run pulumi in Azure DevOps, or Github, or CircleCI - all of which would amount to "remote run" enviornments.