No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hello.

Would like to quickly run by you an issue with `pulumi refresh` i’ve come across when using explicit aws providers within a specific scenario.

For context I am wanting to use explicit aws providers to enable easy cross account deployment of resources. Most deployments will be done via a github actions workflow, but we will occasionally be required to deploy from local machines too. The iam roles we use for deployments from github and local machines are not the same and so the provider’s `role_to_assume` is changed based on the deployment environment. However running the `pulumi refresh` command locally if the previous deployment was made from github causes an access denied error, but running `pulumi up` does not give the same error and will simply deploy any changes. Was wondering if there’s a neat workaround i’ve not thought of to enable `pulumi refresh` in this scenario, something other than manually editing the the aws provider `role_to_assume` in the backend state file after changing deployment environment?

Easiest is to always assume the same role for deployments. In this case, you may want to consider role chaining. Instead of allowing the role you assume from your local desktop to deploy stuff, allow it to assume the same role that the GitHub deployments use.