No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hey guys,
Does someone have an idea how to activate MFA on AWS account for pulumi ? Also using github actions, so if someone know about good Action to use it could be great.
Thanks :slightly_smiling_face:

at what scope? the root account? per user?

I have “pulumi-dev”  user, which have assumeRole permissions on my dev/stg/prod accounts

using aws organization, the pulumi user is on the root account, which can assume role on the child accounts.

so you want to enable mfa for the pulumi-dev user? that'll mean you get prompted for your aws mfa token every time you run your action

Yeah i’m a bit confused with that… I know that what MFA means, but in terms of using an AWS account with pulumi (or other iac tool), is there any best practice you recommend ?

you can't automate mfa in a ci/cd pipeline to the best of my knowledge, that's for human users

I would recommend not using users at all: <https://www.leebriggs.co.uk/blog/2022/01/23/gha-cloud-credentials.html>

That looks awesome, i’ll try to implement it.

image.png

<@UCWG26BH7> , you are missing the `{{ $secrets.ROLE_ARN }}` there (on the blog post)

There’s Something that I still can’t figure out after reading this guide,
Which “tool” will run this pulumi program ? if it’s GHA, it’ll need creds in order to create the role and oidc provider, or is it just for 1 time running from local console

<@U035KFY9S84> I created the roles manually outside github actions, its a one time operation