This message was deleted.
# general
s
This message was deleted.
l
Not within Pulumi. There are probably many AWS-specific solutions. For example, you could provide the permissions only via an assumable role, and put a condition on the assumeRolePolicy for the role that limits it to being assumed only from a single, well-protected EC2 instance.
Generally, the security around access keys and secrets are considered enough for most use cases. If you need additional security in depth, then AWS allows access to roles to be restricted in lots of ways, including source IP address, MFA, account of assuming user, etc...
s
Broadly I would expect to run the sensitive deployments from my CI build environment and those provide various means to protect secrets/keys for use with build pipelines. Pragmatically its straightforward to run pulumi in Azure DevOps, or Github, or CircleCI - all of which would amount to "remote run" enviornments.