hi all, we’re trying to switch to AWS SSO but when using Pulumi’s S3 backend, it keeps throwing

SharedConfigErr: only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso

we have to use

credential_process

for the SDK so I tried to create a separate profile for Pulumi:

[pulumi-tst]
region = us-east-1
sso_start_url = <https://d-XXXX.awsapps.com/start>
sso_region = us-east-1
sso_account_id = XXXXAccountId
sso_role_name = XXXRole

but the backend doesn’t seem to respect

aws:profile

config form the stack, it only works if I specify it as an env variable

AWS_PROFILE

which isn’t very ergonomic for developers to manage separate profiles for the appand Pulumi. would love any pointers you have may

not sure if this is useful or not: https://github.com/pulumi/pulumi-aws/issues/1340

Yes,

aws:profile

is for configuring the default AWS provider. Backends are created before Pulumi starts. Different configuration is used.

Hi, I have had the same experience, for the moment I’m using envrc to set up thr AWS_PROFILE but for CI/CD I will try to create an aws provider

AWS providers do not affect the backend at all.