https://pulumi.com logo
Title
p

polite-umbrella-11196

02/26/2023, 2:17 AM
Hi folks - just started trying to use Pulumi and the first thing I run into is trying to get MFA and Assume Role working. Is there a suggested approach or solution? I found the existing ticket in #1366, but there’s no workaround that seems to be “accepted”.
b

billowy-army-68599

02/26/2023, 3:03 AM
@polite-umbrella-11196 the general practice here is to grab credentials before invoking Pulumi up and set them as environment variables
p

polite-umbrella-11196

02/26/2023, 3:03 AM
That’s gonna be thoroughly obnoxious. Wish it worked like the
aws
cli does 😕
Figuring out how to get the aws cli to export the right environment variables suuuuuucks.
b

billowy-army-68599

02/26/2023, 3:07 AM
Pulumi doesn’t have any mechanism currently to prompt the user for values when it’s invoked, the issue is open but it would require a fairly significant reworking of the way things are invoked and wired together unfortunately. I’m sorry you find that “thoroughly obnoxious” There’s lots of tools out there that can help with this, such as: https://github.com/remind101/assume-role https://github.com/99designs/aws-vault#roles-and-mfa
aws vault is highly recommended
p

polite-umbrella-11196

02/26/2023, 3:08 AM
I’ll give it a spin.
r

rich-motorcycle-71684

02/27/2023, 12:25 AM
Hi Benn, Not sure how you're normally working but for us, we use controltower and SSO with MFA for security We log onto Jumpcloud, our SSO provider, which prompts for MFA in the browser. We then go through to the AWS account screen and and grab our temporary credentials for the day for the account we're working with. We either paste this in the environment, or the credentials file. In the pulumi stack file (
Pulumi.yourstack.yaml
) we reference the aws account profile (can be added manually as
aws:profile
or using
pulumi config set aws:profile profilename
) This seems like a secure method to me and a non-obnoxious workflow, you could give it or something similar a go