Hello. Would like to quickly run by you an issue with

pulumi refresh

i’ve come across when using explicit aws providers within a specific scenario. For context I am wanting to use explicit aws providers to enable easy cross account deployment of resources. Most deployments will be done via a github actions workflow, but we will occasionally be required to deploy from local machines too. The iam roles we use for deployments from github and local machines are not the same and so the provider’s

role_to_assume

is changed based on the deployment environment. However running the

pulumi refresh

command locally if the previous deployment was made from github causes an access denied error, but running

pulumi up

does not give the same error and will simply deploy any changes. Was wondering if there’s a neat workaround i’ve not thought of to enable

pulumi refresh

in this scenario, something other than manually editing the the aws provider

role_to_assume

in the backend state file after changing deployment environment?

Easiest is to always assume the same role for deployments. In this case, you may want to consider role chaining. Instead of allowing the role you assume from your local desktop to deploy stuff, allow it to assume the same role that the GitHub deployments use.