aws-iam
The aws-iam rotator enables you to rotate access credentials for an AWS IAM user in your Environment. Check out the aws-login documentation to learn more about authenticating with AWS.
Example
# my-org/logins/production
values:
aws:
region: us-west-2
login:
fn::open::aws-login:
oidc:
roleArn: arn:aws:iam::123456789:role/esc-oidc
sessionName: pulumi-environments-session
subjectAttributes:
- currentEnvironment.name
# my-org/rotators/key-rotator
values:
iam:
fn::rotate::aws-iam:
inputs:
region: ${environments.logins.production.aws.region}
login: ${environments.logins.production.aws.login}
userArn: arn:aws:iam::<account id>:user/<username>
If you have existing access and secret key(s) you want ESC to keep track of, you can optionally provide an initial state.
# my-org/rotators/key-rotator
values:
iam:
fn::rotate::aws-iam:
inputs:
region: ${environments.logins.production.aws.region}
login: ${environments.logins.production.aws.login}
userArn: arn:aws:iam::<account id>:user/<username>
state:
current:
accessKeyId: <access key>
secretAccessKey:
fn::secret: <secret key>
previous:
accessKeyId: <access key>
secretAccessKey:
fn::secret: <secret key>
Alternative: static credentials
Instead of an OIDC login, you can supply static AWS credentials directly to the rotator’s login. The managing credentials must have permission to rotate the target user’s access keys:
# my-org/rotators/key-rotator
values:
iam:
fn::rotate::aws-iam:
inputs:
region: us-west-2
login:
accessKeyId: <access key>
secretAccessKey:
fn::secret: <secret key>
userArn: arn:aws:iam::<account id>:user/<username>
Schema reference
Reference schemas last updated on 2026-07-11, synced automatically from the Pulumi Cloud ESC API.
Inputs
loginAWSLogin requiredThe AWS credentials to use.- ↳
accessKeyIdstring requiredThe AWS access key ID. - ↳
secretAccessKeystring requiredThe AWS secret access key. - ↳
sessionTokenstring optionalThe AWS session token, if any. regionstring optionalThe AWS region.userArnstring requiredThe ARN for the IAM user
State
currentobject requiredThe AWS credentials for the IAM user.- ↳
accessKeyIdstring requiredThe AWS access key ID. - ↳
createdAtstring optionalWhen the access key was created, in RFC3339 format. - ↳
secretAccessKeystring requiredThe AWS secret access key. previousobject optionalThe AWS credentials for the IAM user.- ↳
accessKeyIdstring requiredThe AWS access key ID. - ↳
createdAtstring optionalWhen the access key was created, in RFC3339 format. - ↳
secretAccessKeystring requiredThe AWS secret access key.
Outputs
currentobject requiredThe AWS credentials for the IAM user.- ↳
accessKeyIdstring requiredThe AWS access key ID. - ↳
createdAtstring optionalWhen the access key was created, in RFC3339 format. - ↳
secretAccessKeystring requiredThe AWS secret access key. previousobject optionalThe AWS credentials for the IAM user.- ↳
accessKeyIdstring requiredThe AWS access key ID. - ↳
createdAtstring optionalWhen the access key was created, in RFC3339 format. - ↳
secretAccessKeystring requiredThe AWS secret access key.
Configuring OIDC
To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:
pulumi env open <org>/<project>/<environment>command of the Pulumi CLIpulumi env open <org>/<project>/<environment>command of the Pulumi CLI
Make sure to replace <org>, <project>, and <environment> with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following:
{
"aws": {
"login": {
"accessKeyId": "ASIA....",
"secretAccessKey": "mWdm....",
"sessionToken": "Fwo...."
}
},
"iam": {
"current": {
"accessKeyId": "AKIA...",
"createdAt": "2025-01-01T12:00:00Z",
"secretAccessKey": "[secret]"
},
"previous": {
"accessKeyId": "AKIA...",
"createdAt": "2025-01-01T13:00:00Z",
"secretAccessKey": "[secret]"
}
}
}
Permissions
The minimum permissions required for the rotation role are:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetUser",
"iam:TagUser"
],
"Resource": "arn:aws:iam::<account id>:user/<username>"
}
]
}
Troubleshooting
| Symptom | Likely cause | Resolution |
|---|---|---|
| Rotation fails with a permissions error | The login identity may lack the IAM permissions required to manage the user’s access keys. | Grant the rotation role the minimum permissions for the target userArn, then rotate again. |
| Rotation fails when creating a new access key | The IAM user may already have the maximum number of access keys AWS allows, none managed by ESC. | Delete an unused access key on the IAM user so the rotator can create a new one, or seed the existing keys via the state input. |
| OIDC login fails when opening the environment | The trust policy or audience on the rotation role may be misconfigured. | Verify the OIDC trust relationship per Configuring OIDC for AWS. |
Related
- Rotators - How credential rotation works in Pulumi ESC
- aws-login - Authenticate with AWS via OIDC or static credentials
- Configuring OIDC for AWS - Set up OIDC between Pulumi Cloud and AWS
- Rotators reference - Catalog of all ESC rotators