This message was deleted.

thanks for the detailed write up. You indeed need to assume role using something like the AWS CLI to fix this. It's not necessarily a pulumi problem

Large posts like this can be posted in a thread, with the first post being just a summary. This is taking up a lot of space in the channel. Also, you can use Slack's "Create a code snippet" feature to highlight code and make it expandable.

if you have valid AWS credentials, you'd use

aws sts assume-role

to get temporary credentials for your prod role.

It looks like the roles you've created allow codebulid to assume a role which then allows them to assume another role. Are you then assuming that role?

@billowy-army-68599 Thanks for the help! aws sts assume-role in the CodeBuild did indeed get the job done 🎉 This was the code in the CodeBuild buildspec.yaml

- CREDENTIALS=$(aws sts assume-role --role-arn arn:aws:iam::${ProdAccountID}:role/${ProdRoleName} --role-session-name "codebuild-prod" --query "Credentials")
      - read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<<$( echo $CREDENTIALS | jq -r '"\(.AccessKeyId) \(.SecretAccessKey) \(.SessionToken)"' )
      - export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
      - export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
      - export AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN