Hi folks - just started trying to use Pulumi and the first thing I run into is trying to get MFA and Assume Role working. Is there a suggested approach or solution? I found the existing ticket in #1366, but there’s no workaround that seems to be “accepted”.

@polite-umbrella-11196 the general practice here is to grab credentials before invoking Pulumi up and set them as environment variables

That’s gonna be thoroughly obnoxious. Wish it worked like the

aws

cli does 😕

Pulumi doesn’t have any mechanism currently to prompt the user for values when it’s invoked, the issue is open but it would require a fairly significant reworking of the way things are invoked and wired together unfortunately. I’m sorry you find that “thoroughly obnoxious” There’s lots of tools out there that can help with this, such as: https://github.com/remind101/assume-role https://github.com/99designs/aws-vault#roles-and-mfa

I’ll give it a spin.

Hi Benn, Not sure how you're normally working but for us, we use controltower and SSO with MFA for security We log onto Jumpcloud, our SSO provider, which prompts for MFA in the browser. We then go through to the AWS account screen and and grab our temporary credentials for the day for the account we're working with. We either paste this in the environment, or the credentials file. In the pulumi stack file (

Pulumi.yourstack.yaml

) we reference the aws account profile (can be added manually as

aws:profile

or using

pulumi config set aws:profile profilename

) This seems like a secure method to me and a non-obnoxious workflow, you could give it or something similar a go