Hi all, Has anyone managed to use eks entirely from credentials stored in the stack config? I’ve got it working on up by actually retrieving the token and shoving it in a kubeconfig but destroy doesn’t appear to re-retrieve the token, just relies on the one stored in the state.

I use RBAC and have Pulumi store a role that's assumed on deploy. However, this still requires AWS credentials that can assume that role in order to run Pulumi. Is this what you mean, or are you looking to embed static credentials in the configuration file?

we store credz + role to assume in the stack config and then use that to auth to eks

in our CI pipe, we subprocess out a call to `aws eks update-kubeconfig and then

k8s_provider = k8s.Provider(
    "k8s_provider",
    # cluster=current_context,
    context=current_context,
    kubeconfig='~/.kube/config',