No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

at what scope? the root account? per user?

I have “pulumi-dev”  user, which have assumeRole permissions on my dev/stg/prod accounts

using aws organization, the pulumi user is on the root account, which can assume role on the child accounts.

so you want to enable mfa for the pulumi-dev user? that'll mean you get prompted for your aws mfa token every time you run your action

Yeah i’m a bit confused with that… I know that what MFA means, but in terms of using an AWS account with pulumi (or other iac tool), is there any best practice you recommend ?

you can't automate mfa in a ci/cd pipeline to the best of my knowledge, that's for human users

I would recommend not using users at all: <https://www.leebriggs.co.uk/blog/2022/01/23/gha-cloud-credentials.html>

That looks awesome, i’ll try to implement it.

image.png

<@UCWG26BH7> , you are missing the `{{ $secrets.ROLE_ARN }}` there (on the blog post)

There’s Something that I still can’t figure out after reading this guide,
Which “tool” will run this pulumi program ? if it’s GHA, it’ll need creds in order to create the role and oidc provider, or is it just for 1 time running from local console

<@U035KFY9S84> I created the roles manually outside github actions, its a one time operation