@pulumi/aws with assumeRoleWithWebIdentity using a google service account

pulumi-aws-with-gcp-service-account.ts

import * as aws from '@pulumi/aws';
import { all, output, secret } from '@pulumi/pulumi';

const serviceAccount = output('my-service-account@my-project.iam.gserviceaccount.com');
const audience = output('*****');
const awsRoleArn = output('arn:aws:iam::999999999999:role/pulumi-aws-federation');

const token = secret(
    all([serviceAccount, audience]).apply(async ([serviceAccount, audience]) => {
        const client = await auth.getClient();
        const response = await client.request<{ token: string }>({
            method: 'POST',
            url: `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${encodeURIComponent(
                serviceAccount,
            )}:generateIdToken`,
            data: {
                audience,
                includeEmail: true,
            },
        });
        return response.data.token;
    }),
);
const provider = new aws.Provider('aws', {
    region: 'eu-west-1',
    assumeRoleWithWebIdentity: {
        roleArn: awsRoleArn,
        webIdentityToken: token,
    },
});
new aws.s3.Bucket('my-bucket-53efcbd4499a768d', { tags: { foo: 'bar' } }, { provider });