Using Pulumi with multiple accounts

24 Jan 2021

When logging into Pulumi, using pulumi login the effect is machine wide. If, like me, you have multiple accounts i.e. personal and work, switching accounts by logging out and logging back in again becomes tedious fast. It's also risky when you find yourself logged into the wrong account and you do a pulumi up...

AWS CLI has a concept of named profiles that allows you select the profile an AWS CLI command applies to. Unfortunately Pulumi does not support such a concept. It does however support an environment variable PULUMI_ACCESS_TOKEN that takes precedence over the machine level access token. Using this with a function in your PowerShell $profile / Bash .bashrc, we can switch profiles on-the-fly for the current terminal session and any processes spawned from there. This neatly also allows you to use different accounts in separate terminal sessions at the same time.

To set this up, first go to your each of your Pulumi accounts' settings and generate an Access Token for each profile.

Then, if you are a PowerShell user, add this function to your PowerShell's $profile (obviously replace the tokens with your real tokens) :

function pulumi-profile([string]$profile){
    if($profile -eq ""){
        Write-Host "Profile name argument missing."
        return
    }
    pulumi logout
    $env:PULUMI_ACCESS_TOKEN = ""
    if($profile -eq "local"){
        pulumi login --local --non-interactive
        return
    }
    elseif($profile -eq "work"){
        $env:PULUMI_ACCESS_TOKEN = "pul-work-token"
    }
    elseif($profile -eq "personal"){
        $env:PULUMI_ACCESS_TOKEN = "pul-personal-token"
    }
    else{
        Write-Host "Unknown profile"
        return
    }
    pulumi login --non-interactive
}

Or, if you are a Bash user, add this function to your ~/.bashrc :

pulumi-profile() {
  if [ $# -eq 0 ]; then
    echo "Profile name argument missing."
    return
  fi
  pulumi logout
  export PULUMI_ACCESS_TOKEN=""
  if [ $1 == "local" ]; then
    pulumi login --local --non-interactive
  elif [ $1 == "work" ]; then
    export PULUMI_ACCESS_TOKEN="pul-work-token"
  elif [ $1 == "personal" ]; then
    export PULUMI_ACCESS_TOKEN="pul-personal-token"
  else
    echo "Unknown profile"
    return
  fi
  pulumi login --non-interactive
}

You can then switch Pulumi profile using by calling pulumi-profile <profile-name> in your terminal.

Example in PowerShell:

Powershell terminal

Example in Bash:

Bash terminal

Hope that helps!

Comments or feedback? Respond to this tweet.