No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

thanks for the detailed write up. You indeed need to assume role using something like the AWS CLI to fix this. It's not necessarily a pulumi problem

Large posts like this can be posted in a thread, with the first post being just a summary. This is taking up a lot of space in the channel.
Also, you can use Slack's "Create a code snippet" feature to highlight code and make it expandable.

if you have valid AWS credentials, you'd use `aws sts assume-role` to get temporary credentials for your prod role.

It looks like the roles you've created allow codebulid to assume a role which then allows them to assume another role. Are you then assuming that role?

<@UCWG26BH7> Thanks for the help! aws sts assume-role in the CodeBuild did indeed get the job done :tada:

This was the code in the CodeBuild buildspec.yaml
```      - CREDENTIALS=$(aws sts assume-role --role-arn arn:aws:iam::${ProdAccountID}:role/${ProdRoleName} --role-session-name "codebuild-prod" --query "Credentials")
      - read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN &lt;&lt;&lt;$( echo $CREDENTIALS | jq -r '"\(.AccessKeyId) \(.SecretAccessKey) \(.SessionToken)"' )
      - export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
      - export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
      - export AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN```


<@U012UJTT55M> Good point, I will do that next time. And yes, CodeBuild is assuming a role in its own account that allows it to assume a role in another account, I believe it's called role chaining.