Hi, @bentterp,
thank you. You’are probably right about Vault way, we go deep on Vault solution as soon as possible to check if it’s feasible.
Minimal privs or not MFA user creds for production deployment are not an option and having “some type” of creds on a build (or related) machine is always necessary (including Vault solutions , I suppose - e.g. info to allow Vault access).
As terraform support aws profile, as we analyze Vault solutions, we’ll try to see if following solution works
https://www.padok.fr/en/blog/authentication-aws-profiles
also this can be an option: