This message was deleted.

My current workaround is to generate session credentials using the aws cli (i.e.

aws sts assume-role --serial-number xxx ...

) and set environment variables for the session credentials (inspired by a part of your tutorial)

Let me find out. I don't believe you can specify the MFA token, but I'll check

Good morning @brave-planet-10645 were you able to find out anything?

So we don't support it in the "classic" aws provider and we don't currently support it in the native provider either. You can raise an issue in the native provider but since it's not supported in the upstream provider for the classic one it's probably not something we would support either. Just out of question, why would you have MFA on something that you'd probably want automated in a CI/CD pipeline anyway? You wouldn't want the pipeline to automatically enter the MFA credentials (and it probably wouldn't have access to a yubikey anyway)

Thanks for the details Piers! I agree it t would make sense to support this in the native provider, I will raise the issue. The use case here isn’t CI/CD, the article I linked to was just to show the alternative approach for assuming a role using a session token to make it clear, apologies if that was confusing. The goal here is to avoid having any long-lived-high-privilege IAM credentials, which the approach outlined in the linked AWS article achieves, and it would be great to be able to do this using Pulumi without having to drop back to a shell scripts