Deploy a stack using STS tokens instead of fixed credentials to access aws resource

[jeduden]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Currently, it seems the operator is not supporting a process that using STS tokens to access aws resource. Like for example described in this article about using a google cloud platform access aws resources

Affected area/feature

simplest resolution would be to add a new configuration to configure the required "assume-role-with-web-identity" call and then use the produced aws credentials for the remainder of the pulumi stack deployment.

[rquitales]

Thanks for reporting this enhancement request and will be adding this to our backlog. I agree that we might want to improve our overall authorization user journeys within this operator.

[EronWright]

With PKO v2, the architecture has changed in a way that mostly addresses this issue. Each stack now has a dedicated pod and associated Kubernetes service account. One may also add extra volumes such as a projected service account token, with which to authenticate to AWS/GCP/Azure. One may then configure the Pulumi provider to use the projected token file.

Read more about extensibility in the announcement post: https://www.pulumi.com/blog/pulumi-kubernetes-operator-2-0/

Please give v2 a try, and do tell if it satisfies your goals. Thanks!