Hi Question around best practices. We are currently upscaling to multi region deployments and creating our stack from scratch. We created an AWS organisation and we will be creating different accounts here for different prod accounts. We have existing iam admin users in our management AWS account and they will be used for assuming a role for different test/prod accounts to interact with those accounts I am wondering what is the best practice with pulumi. How we are visualising our suite at present is to have projects with multiple stacks where each stack is pointing to an environment. However regarding the creds for the AWS account we are under a slight dilemma. We have considered two options, both we like and dislike at the same time. 1. Create iam users in the child AWS accounts aswell and use those credentials for pulumi. However with a growing number of regions this means a fair amount of creds to store and switch between each stack deployment. 2. Use the iam user in the management account, use the single set of credentials of the user for all resources and stacks by creating a provider which assumes the role and making the account id configurable, however this means we will need to pass in the provider across every resources we create and if someone misses using the provider it ll be devastating. I am wondering if there is any best practices that pulumi suggests in this scenario.

@stocky-petabyte-29883 I think the correct answer is to use AWS SSO 🙂 for human users, and use roles for CI/CD

circle ci

@stocky-petabyte-29883 create roles in each AWS account and use OIDC tokens: https://circleci.com/docs/2.0/openid-connect-tokens/

@billowy-army-68599 Thank you sending this on, I don't have experience using aws sso with pulumi, if you any helpful pointers on this please send this on Cheers

aws sso it just a mechanism to authenticate with AWS as a human user, you'd set it up inside your org management account and it allows you to authenticate to all other accounts in an AWS org

Cheers