No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

The providers you pass to the resources and the awskms auth are handled differently. You can set the `aws:profile` configuration key using `pulumi config set aws:profile` and that becomes the default for all resources. You could then use `AWS_PROFILE` as an env var for the aws_kms

I set aws:region to invalid, its a workaround to create explicit providers.  Then have a context manager (using in .net) to switch assume roles.  Also use automation api so secrets provider is set and access keys are in the stack but encrypted.

Untitled

ported form the C# version, haven't tested it much yet

Okay cool… so that use case may work for us. I’ll have to test it out, but I think last time I tried it, it tried to use the same role i defined in $AWS_PROFILE and the rest of the aws providers [default one, not a reinstantiated custom one as Derek showed] attmpted to use that profile instead of the one set by `aws:profile`. It’s possible I had hit a bug, so I could give it another try. Thanks!

This is the GitHub link for the ‘invalid’ workaround <https://github.com/pulumi/pulumi/issues/3383|https://github.com/pulumi/pulumi/issues/3383>

Confirmed that I am able to set `aws:profile` to use the default aws provider’s aws profile, and set `$AWS_PROFILE` in the environment prior to invoking pulumi with a different profile that has actual access to the CMK. :+1:  Thanks <@UCWG26BH7>. Perhaps a suggestion is a variable like `aws:kms_profile` in the stack would be handy, so that users of the stack do not have to remember to always set that KMS/CMK profile for decrypting the stack contents? not sure if that’s on the roadmap…

Ideally we should just move to not relying on the default provider, but that still doesn’t make it easy for one to use the awscmk decrypt without remembering to set a profile. It’s not the worst thing, but would help with the out-of-the-box experience

We currently isolate 90% of our stacks by AWS account [isolation] so rarely have to call in a second provider, thus, the default provider is sufficient for our needs.