No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Pulumi doesn't support aws MFA scenarios does it?

In what way? As in can it bypass the MFA or do you mean you're being asked to enter the MFA when you run `pulumi up`?

<@U029E1RR5L3> it does, yes - but you need to authenticate with MFA and retrieve a session token
I can walk you through it if needed

Confirm it works fine. My team uses MFA with Pulumi all the time.

<@U012UJTT55M> for my own posterity, what's your workflow?

Once a day, I grab my 6-digit MFA value from BitWarden and pass it to a bash alias I have, `aws2fa`.

For the next 24 hours, I can use Pulumi :slightly_smiling_face:

The alias sets up an AWS profile with the temp creds, and a fixed name. The AWS profile that I use with Pulumi uses _that_ profile as its source.

mind sharing that alias? I've recommended `aws-vault` for this before

refresh-aws-credentials_sh.sh

The alias isn't very interesting, it just invokes an image that uses this script as an entrypoint. I think a colleague got the script from an AWS or Pulumi page...

3 profiles involved: _identity_ is the user's profile with creds that need MFA; _identity-mfa_ is a temp profile set up with the creds returned by _get-session-token_; and _pulumi_ is the user's profile that refers to _identity-mfa_ and sets up the assumed role.

(Code edited to remove hard-coded account IDs, untested in this version, you may need to edit to get it to work.)