content(what-is): expand the platform engineering explainer by alexleventer · Pull Request #19269 · pulumi/docs

alexleventer · 2026-05-20T16:47:41Z

Summary

Rewrites `content/what-is/what-is-platform-engineering.md` for SEO and AEO. Preserves the substantive content christian-nunciato established and restructures it around a quotable opening definition, question-style H2s, and a doubt-remover FAQ.

What changed

Opening definition — replaces the soft intro with a bolded quotable definition under 50 words plus a short context paragraph.
Strengthened meta_desc — quotable definition under 160 chars.
TOC bullet list — maps to the new question-style H2 structure.
Why does platform engineering matter? — three forces: cloud complexity, the speed/control tension, and the cost of reinvention. Includes the Gartner 80%-by-2026 statistic from the previous version.
IDP + golden paths — kept and tightened.
Platform engineer role — kept and tightened.
Platform vs DevOps vs SRE table — kept with cleaner header.
Requirements — five-item baseline (UX, automation default, observability, security, well-architected).
Get started — six-step sequence with CNCF Maturity Model and Team Topologies cross-links.
Common challenges — five concrete failure modes.
AI section — kept; positions Pulumi Neo accurately.
FAQ — expanded to 10 doubt-removers, adding new ones on measuring platform success, Backstage vs Port vs custom, Kubernetes-only misconception, and Pulumi's role.
Case studies — kept (Elkjøp, Washington Trust Bank).
Conclusion — kept Pulumi's solution diagram and the five-point breakdown.
Cross-links — IaC, DevOps, CI/CD, Pulumi, secrets management, cloud security.

Updated `lastmod` to 2026-05-20.

Test plan

`make serve`; visit `/what-is/what-is-platform-engineering/` and confirm both YouTube embeds, the diagram, and the comparison table render
Spot-check cross-links (`/what-is/what-is-devops/`, `/what-is/what-is-ci-cd/`, `/product/esc/`, `/docs/insights/policy/`, `/docs/iac/packages-and-automation/automation-api/`)
CI lint + pinned review

🤖 Generated with Claude Code

pulumi-bot · 2026-05-20T17:00:58Z

Your site preview for commit cf931fe is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19269-cf931fe0.s3-website.us-west-2.amazonaws.com

github-actions · 2026-05-20T17:01:46Z

Pre-merge Review — Last updated 2026-05-20T16:53:10Z

Tip

Summary: This PR expands three /what-is/ explainers for SEO/AEO — primarily the platform engineering page (parallels existing /what-is/what-is-devops/, /what-is/what-is-infrastructure-as-code/), plus a DynamoDB-vs-Bigtable comparison (parallels /what-is/database-comparison-cosmos-db-vs-dynamodb/, /what-is/cosmos-db-vs-mongodb-know-the-differences/) and an aws sts get-caller-identity how-to (parallels other dynamic-credential pages). The risk that would block a reader's success is factual inaccuracy in NoSQL capability claims (HBase API attribution, p99-latency framing, GoogleSQL GA status, Bigtable backup/export mechanics), an incorrect role-chaining duration, and stale Pulumi product framing (Insights, Policies). External claim verification, frontmatter, code-examples, and temporal-trigger passes ran; Hugo build was skipped (content-only) and editorial-balance/cross-sibling passes were not in scope.

Review confidence:

Dimension	Level	Notes
mechanics	HIGH
facts	MEDIUM	10 contradicted external claims still in-flight, several touching product-page currency.
code correctness	HIGH

Investigation log

Cross-sibling reads: not run (not in a templated section)
External claim verification: 96 of 136 claims verified (9 unverifiable, 11 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 86 Pass 1, 0 Pass 2, 50 Pass 3 (verified 37, contradicted 7, unverifiable 6).
Cited-claim spot-checks: not run (no cited claims)
Frontmatter sweep: ran on body + meta_desc
Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
Code execution: not run (no static/programs/ change)
Code-examples checks: ran (3 specialists: structural, existence, body-code-coverage); 0 findings
Editorial-balance pass: not run (not under content/blog/)

🚨 Outstanding	⚠️ Low-confidence	💡 Pre-existing	✅ Resolved
10	34	0	0

🔍 Verification trail

136 claims extracted · 96 verified · 9 unverifiable · 11 contradicted

L32 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB is built for high-throughput transactional applications with predictable low latency." → ✅ verified (framing: strengthened — claim narrows the broader AWS positioning ("scalable, predictably performant NoSQL") to "high-throughput transactional applications with predict…; evidence: AWS official documentation confirms DynamoDB is designed for high-throughput workloads with predictable low latency: "provides single-digit millisecond latency and predictable performance with seamless throughput and storage scalability" (…; source: https://docs.aws.amazon.com/whitepapers/latest/big-data-analytics-options/amazon-dynamodb.html)
L32 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable is built for very large analytical and time-series tables that need consistent, low-latency reads at petabyte scale." → ✅ verified (framing: strengthened — claim narrows Bigtable's broad capabilities to "analytical and time-series tables" with "consistent, low-latency reads at petabyte scale"; sourc…; evidence: Multiple authoritative Google Cloud sources confirm the claim's key elements. The official Bigtable product page describes it as "packed with key capabilities for machine learning, time series, operational analytics" at petabyte scale with…; source: https://cloud.google.com/bigtable; https://cloud.google.com/blog/products/gcp/google-cloud-bigtable-is-generally-available-for-petabyte-scale-nosql-workloads; https://www.scrums.com/cloud-hub/google-cloud-bigtable)
L32 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Amazon DynamoDB is a fully-managed, serverless key-value and document database from AWS, optimized for single-digit-millisecond access at any scale." → ➖ not-a-claim (evidence: The text at L32 is the PR author's own description of Amazon DynamoDB in the article being introduced; it is not attributed to a third-party source. The /tutorials/glossary/nosql/ link in the same sentence is a cross-reference to a NoSQL…; source: content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L53 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable supports the HBase API and Bigtable client libraries as query interfaces." → ✅ verified (framing: strengthened — claim narrows 'HBase API, Bigtable client libraries, GoogleSQL (preview)' to just 'HBase API and Bigtable client libraries'; source's broader fo…; evidence: The file's comparison table at line 53 lists Bigtable's query interface as "HBase API, Bigtable client libraries, GoogleSQL (preview)". The claim correctly identifies HBase API and Bigtable client libraries as query interfaces, which is a…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L54 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB reads are eventually consistent by default, with an option to request strongly consistent reads." → ✅ verified (evidence: The file at the relevant section states: "DynamoDB reads are eventually consistent by default, with an option to request strongly consistent reads (at higher cost and slightly higher latency)." This matches the claim exactly and is con…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L54 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable provides strong consistency within a single cluster." → ✅ verified (evidence: The file itself at the relevant section states: "Bigtable provides strong consistency for reads and writes within a single cluster." The at-a-glance table also confirms: "Consistency: Strong within a single cluster." This is consistent…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L55 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB reads are eventually consistent by default, with an option to request strongly consistent reads at higher cost and slightly higher latency." (also L88, L98, L222) → ✅ verified (evidence: AWS official docs confirm: "Eventually consistent is the default read consistent model for all read operations" and "Eventually consistent reads are half the cost of strongly consistent reads." Multiple sources also confirm strongly consis…; source: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html)
L55 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB supports ACID transactions across up to 100 items." → ✅ verified (evidence: The file at L55 (at-a-glance table) states "ACID across up to 100 items" for DynamoDB transactions, and this is corroborated in the prose section: "It supports ACID transactions across up to 100 items in one or more tables in a single requ…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L55 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable supports single-row atomic operations only — there are no multi-row or multi-table transactions." (also L92, L98) → ✅ verified (evidence: The file at L92 states: "Bigtable supports single-row atomic operations — including read-modify-write and check-and-mutate — but does not offer cross-row or cross-table transactions." The comparison table at L55 also confirms "Single-r…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L56 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Both DynamoDB and Bigtable target single-digit-millisecond p99 latency for well-designed workloads." (also L103) → ✅ verified (framing: strengthened — Bigtable's p99 claim is explicit in official sources; DynamoDB's official framing is "single-digit millisecond performance" generally, not speci…; evidence: (escalated from pass1) Bigtable: Google Cloud blog explicitly states "at the 99th percentile, you can perform single-digit millisecond queries." DynamoDB: AWS states it "delivers consistent single-digit millisecond performance at any scale…; source: https://cloud.google.com/blog/products/databases/new-features-for-cloud-bigtable-observability/ ; https://aws.amazon.com/blogs/database/how-global-payments-inc-improved-their-tail-latency-using-request-hedging-with-amazon-dynamodb/)
L57 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB's pricing model is on-demand per request, or provisioned RCU/WCU." → ✅ verified (evidence: The file's at-a-glance comparison table (line ~57) states DynamoDB's pricing model as "On-demand per request, or provisioned RCU/WCU", and the dedicated Pricing section further confirms: "Compute / throughput: On-demand (per read/write req…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L57 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable's pricing model is per-node-hour plus storage." → ✅ verified (evidence: The file's at-a-glance table (line ~57) lists Bigtable's pricing model as "Per-node-hour plus storage," and the dedicated pricing section states "Bigtable charges per node-hour and per GB stored," directly confirming the claim.; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L58 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable has a maximum row size of 256 MB per row, with a recommended maximum of less than 100 MB." (also L80, L134-135) → ✅ verified (evidence: Google Cloud Bigtable official docs confirm both figures: "Make sure that data in a single row doesn't exceed 256 MB" (hard limit) and "Keep the size of all values in a single row under 100 MB" (recommended maximum). The garbage collection…; source: https://cloud.google.com/bigtable/docs/schema-design (limits) and https://docs.cloud.google.com/bigtable/docs/garbage-collection (recommended max))
L59 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB supports global distribution via Global Tables with multi-region active-active replication." → ✅ verified (evidence: The file's at-a-glance comparison table explicitly lists DynamoDB's global distribution as "Global Tables (multi-region active-active)", and this is a well-established AWS feature. The claim at L59 accurately describes DynamoDB Global Tabl…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L60 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB is serverless." → ✅ verified (evidence: The file explicitly states "Amazon DynamoDB is a fully-managed, serverless key-value and document database from AWS" in the introduction, and the at-a-glance comparison table lists "Serverless | Yes" for DynamoDB.; source: content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L60 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable is not serverless — it uses node-based clusters, though autoscaling is available." → ✅ verified (evidence: The file's at-a-glance comparison table explicitly states under "Serverless": "No (node-based clusters; autoscaling available)" for Google Cloud Bigtable, exactly matching the claim that Bigtable is not serverless, uses node-based clusters…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L69 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB supports document storage up to 400 KB per item." → ✅ verified (evidence: The file explicitly states "DynamoDB is effectively a key-value store with first-class document support up to 400 KB per item" and the at-a-glance table lists "400 KB per item" as the max item size for DynamoDB — consistent with the offici…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L69 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB supports secondary indexes — both local and global — to query on non-key attributes." → ✅ verified (evidence: The file at the relevant section states: "Secondary indexes (local and global) make it possible to query on non-key attributes." This exactly matches the claim about DynamoDB supporting both local and global secondary indexes for querying…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L69 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB stores items in tables, where every item has a primary key that can be a single partition key or a partition key plus a sort key." → ✅ verified (evidence: AWS official DynamoDB docs confirm: "DynamoDB supports two different kinds of primary keys: 1- Partition key 2- Partition key and sort key." Items are stored in tables and every item has a primary key that is either a single partition key…; source: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.CoreComponents.html)
L73 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable stores data in a single, massive sparse, sorted, distributed map where rows are keyed by a single row key (a byte string) and sorted lexicographically." → ✅ verified (evidence: The file at content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md contains exactly: "Bigtable stores data in a single, massive sparse, sorted, distributed map: rows are keyed by a single row key (a byte string) and sorted lexicog…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L73 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "In Bigtable, each row contains column families, each family contains columns, and each cell can hold multiple timestamped versions." → ✅ verified (evidence: The file at content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md contains the exact text: "Each row contains column families, each family contains columns, and each cell can hold multiple timestamped versions." This accurately descr…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L73 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable has no secondary indexes — query patterns are designed around the row-key layout." → ✅ verified (evidence: The file at L73 (Bigtable data model section) states verbatim: "There are no secondary indexes — query patterns are designed around the row-key layout." The comparison table also confirms Bigtable has "None — design row keys for access pat…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L80 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "| Document support | Native (lists, maps) up to 400 KB | Not document-oriented; rows hold many columns |" → ✅ verified (evidence: AWS official documentation confirms: "The maximum item size in DynamoDB is 400 KB, which includes both attribute name binary length (UTF-8 length) and attribute value lengths." DynamoDB natively supports List and Map data types (document-s…; source: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Constraints.html)
L92 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable provides strong consistency for reads and writes within a single cluster." → ✅ verified (evidence: The file at the relevant section states: "Bigtable provides strong consistency for reads and writes within a single cluster." This is also reflected in the at-a-glance table: "Strong within a single cluster." This is consistent with Go…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L92 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable supports single-row atomic operations including read-modify-write and check-and-mutate." → ✅ verified (evidence: The file at the relevant section states: "Bigtable supports single-row atomic operations — including read-modify-write and check-and-mutate — but does not offer cross-row or cross-table transactions." This directly matches the claim.; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L92 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable does not offer cross-row or cross-table transactions." → ✅ verified (evidence: The file itself states: "Bigtable supports single-row atomic operations — including read-modify-write and check-and-mutate — but does not offer cross-row or cross-table transactions." The comparison table also confirms: "Multi-item tra…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L92 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable multi-cluster routing (eventual consistency across replicas) is configurable per app profile." → ✅ verified (evidence: The pulumi-gcp SDK's appProfile.go confirms that MultiClusterRoutingUseAny is a configurable field on AppProfileArgs, directly proving that multi-cluster routing is configurable per app profile. The PR's own content file states: "Mul…; source: gh api repos/pulumi/pulumi-gcp/contents/sdk/go/gcp/bigtable/appProfile.go)
L98 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "| Multi-item transactions | ACID across up to 100 items | Not supported (single-row atomic only) |" → ✅ verified (evidence: The file at L98 contains exactly | Multi-item transactions | ACID across up to 100 items | Not supported (single-row atomic only) |, and the prose section (DynamoDB consistency) corroborates: "It supports ACID transactions across up to 1…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L99 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "| Conditional writes | Yes | Yes (check-and-mutate) |" → ✅ verified (evidence: Google Cloud official documentation confirms that Bigtable supports conditional writes via the CheckAndMutateRow API: "Check-and-mutate operations, also known as conditional mutations or conditional writes." The docs also state: "This type…; source: https://cloud.google.com/bigtable/docs/writing-data and https://docs.cloud.google.com/bigtable/docs/routing)
L103 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Both DynamoDB and Bigtable target single-digit-millisecond p99 latency for well-designed workloads." → ❌ contradicted (framing: narrowed — claim broadens DynamoDB's official "single-digit millisecond performance" (average) to a p99 guarantee; AWS sources support the average framing but…; evidence: (escalated from pass1) Bigtable explicitly targets p99 single-digit millisecond latency ("at the 99th percentile, you can perform single-digit millisecond queries" — Google Cloud blog). DynamoDB's official framing is "consistent single-dig…; source: https://cloud.google.com/blog/products/databases/new-features-for-cloud-bigtable-observability/ ; https://aws.amazon.com/blogs/database/how-global-payments-inc-improved-their-tail-latency-using-request-hedging-with-amazon-dynamodb/ ; https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/TroubleshootingLatency.html)
L105 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DAX (DynamoDB Accelerator), an in-memory cache, can push DynamoDB reads into microseconds for cache-friendly workloads." → ✅ verified (evidence: The file at the performance section states: "DAX, an in-memory cache, can push reads into microseconds for cache-friendly workloads." The claim correctly expands the acronym as "DynamoDB Accelerator" and accurately describes DAX as an in-m…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L106 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable large sequential scans are particularly efficient because data is stored in row-key order." → ✅ verified (framing: strengthened — claim narrows the general "data stored in row-key order enables efficient range reads" to the specific case of "large sequential scans"; source'…; evidence: Google Cloud Bigtable stores data in row-key order (lexicographically sorted), and sequential/range scans over contiguous row keys are the most efficient read pattern. Official docs confirm: "Bigtable stores data in massively scalable tabl…; source: https://docs.cloud.google.com/bigtable/docs/schema-design)
L115 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable charges per node-hour and per GB stored." → ✅ verified (framing: strengthened — claim says "per GB stored"; source uses GiB, but the billing dimension (storage volume) is the same; source's broader form proves the claim as a…; evidence: The official Google Cloud Bigtable pricing page confirms both dimensions: nodes are billed at "$0.65 per node per hour" and storage is billed per GiB (e.g., "$0.17 per GiB in us-central1"). The claim's use of "GB" vs. the official "GiB" is…; source: https://cloud.google.com/bigtable/pricing)
L123 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "| Backups | PITR and on-demand backups (per GB) | Backups per GB-month |" → ✅ verified (framing: strengthened — claim uses "per GB" for DynamoDB vs "per GB-month" for Bigtable; both are correct but the DynamoDB column omits "-month" for brevity; sources co…; evidence: AWS pricing confirms DynamoDB on-demand backups are charged per GB-month and PITR is "$0.20 per GB" of table size. Google Cloud's official Bigtable pricing page confirms "Backup storage is priced in GiB/month," consistent with the claim's…; source: https://aws.amazon.com/dynamodb/pricing/on-demand/ and https://cloud.google.com/blog/products/databases/how-to-save-money-when-using-cloud-databases)
L124 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable has no free tier; billing is per-hour from the moment the cluster is created." (also L226) → ✅ verified (evidence: The official Bigtable pricing page confirms per-hour billing: "You are charged each hour for the maximum number of nodes that exist during that hour" and "Charges apply even if your cluster is inactive." Bigtable does not appear on Google…; source: https://cloud.google.com/bigtable/pricing)
L134-135 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable has a maximum row size of 256 MB per row, with a recommended maximum of less than 100 MB." → ✅ verified (evidence: Google Cloud Bigtable official docs confirm both figures: "Make sure that data in a single row doesn't exceed 256 MB" (schema design page) and "Ideally, you should never let a row grow beyond 100 MB in size, and the limit is 256 MB" (garba…; source: https://cloud.google.com/bigtable/docs/schema-design and https://docs.cloud.google.com/bigtable/docs/garbage-collection)
L139 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable supports backups stored in the same instance and import/export to Cloud Storage." (also L242) → ❌ contradicted (framing: shifted — the claim conflates Bigtable's native backup feature (stored in-cluster, cannot be exported to Cloud Storage) with the separate data import/export fe…; evidence: The official Bigtable backups documentation explicitly states: "You cannot export, copy, or move a Bigtable backup to another service, such as Cloud Storage." Backups are stored on a cluster within the instance, not exported to Cloud Stora…; source: https://docs.cloud.google.com/bigtable/docs/backups)
L139 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB supports point-in-time recovery (PITR) for 35 days." → ✅ verified (framing: strengthened — claim states a fixed "35 days"; source confirms 35 days is the maximum of a configurable 1–35 day window. The claim is a narrower (simplified) s…; evidence: AWS official docs confirm: "Point-in-time recovery (PITR) backups are fully managed by DynamoDB and provide up to 35 days of recovery points at a per second granularity." The recovery period is configurable between 1 and 35 days, with 35 d…; source: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Backup-and-Restore.html)
L141 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB Global Tables provide active-active replication across regions with last-writer-wins conflict resolution." → ✅ verified (evidence: (escalated from pass1) AWS official docs confirm both aspects: DynamoDB Global Tables is described as "a fully managed, multi-Region, and multi-active database" and "If the same item is modified in multiple Regions simultaneously, DynamoDB…; source: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/V2globaltables_HowItWorks.html and https://aws.amazon.com/dynamodb/global-tables/)
L141 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable multi-cluster replication supports both same-region and cross-region clusters with configurable routing." → ✅ verified (framing: strengthened — claim narrows the broader source (which describes multiple routing options including single-cluster, multi-cluster, row-affinity, and cluster gr…; evidence: (escalated from pass1) Official Google Cloud Bigtable docs confirm clusters can be placed in the same region or across regions, with configurable routing policies (multi-cluster routing, single-cluster routing, row-affinity, cluster group…; source: https://cloud.google.com/bigtable/docs/replication-overview; https://cloud.google.com/bigtable/docs/routing)
L147 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB exports to S3, supports Athena Federated Query, and integrates with Redshift via Zero-ETL." → ✅ verified (evidence: (escalated from pass1) All three integrations are confirmed by AWS official sources: DynamoDB exports to S3 are well-documented; Athena Federated Query supports DynamoDB as a source ("You can query DynamoDB, RDS, Redshift, and custom sourc…; source: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/RedshiftforDynamoDB-zero-etl.html; https://oneuptime.com/blog/post/2026-02-12-use-athena-federated-query-to-query-multiple-data-sources/view)
L147 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable has native integration with BigQuery, Dataflow, and Dataproc." → ✅ verified (framing: strengthened — the claim says "native integration"; the source confirms documented, first-party integrations with all three services, which supports the claim…; evidence: (escalated from pass1) Google Cloud's official Bigtable integrations page documents Dataflow and Dataproc integrations directly, and the BigQuery integration is confirmed via reverse ETL export. The official Google Cloud Blog states Bigtab…; source: https://docs.cloud.google.com/bigtable/docs/integrations; https://cloud.google.com/blog/topics/developers-practitioners/bigtable-vs-bigquery-whats-difference)
L148 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB supports DynamoDB Streams and Kinesis Data Streams for streaming." → ✅ verified (evidence: (escalated from pass1) AWS official documentation confirms both streaming options for DynamoDB. DynamoDB Streams is a native feature, and "You can use Amazon Kinesis Data Streams to capture changes to Amazon DynamoDB" — both are supported…; source: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/kds.html)
L152 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB is compatible with the HBase 1.x API." → ❌ contradicted (framing: shifted — the HBase API compatibility described in the source applies to Google Cloud Bigtable, not Amazon DynamoDB as the claim states; evidence: The article's own at-a-glance comparison table lists DynamoDB's query interface as "DynamoDB API, PartiQL" and Bigtable's query interface as "HBase API, Bigtable client libraries, GoogleSQL (preview)". HBase API compatibility belongs to Bi…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md (at-a-glance comparison table, Query interface row))
L152 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB supports PartiQL as a query interface." → ✅ verified (evidence: The file's comparison table explicitly lists DynamoDB's "Query interface" as "DynamoDB API, PartiQL", confirming that DynamoDB supports PartiQL as a query interface. This is consistent with AWS's official documentation that DynamoDB added…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L154 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Dataflow is the standard way to land streaming data into Bigtable tables." → ❌ contradicted (framing: narrowed — claim broadens a common/recommended pattern to "the standard way"; Google docs present Dataflow as one of multiple options, including direct Pub/Sub…; evidence: Google's official Bigtable import/export docs explicitly note an alternative: "You can stream messages from Pub/Sub directly to a Bigtable table using Pub/Sub Bigtable subscriptions (Preview). This method lets you write streaming messages…; source: https://docs.cloud.google.com/bigtable/docs/import-export)
L178 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "The Pulumi AWS provider and Google Cloud provider both expose the full service surface, including IAM, replication, backups, and autoscaling for DynamoDB and B…" → ✅ verified (framing: narrowed — "full service surface" is an overclaim; the source only confirms specific features (IAM, replication, autoscaling, backups mentioned in passing). Ho…; evidence: (escalated from pass1) Pulumi Registry confirms the AWS provider exposes DynamoDB replication (aws.dynamodb.Table with replica blocks), autoscaling (aws.appautoscaling), and IAM. The GCP provider exposes Bigtable IAM (`gcp.bigtable.Ins…; source: https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/ ; https://www.pulumi.com/registry/packages/gcp/api-docs/bigtable/instance/ ; https://www.pulumi.com/registry/packages/gcp/api-docs/bigtable/instanceiampolicy/)
L208 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "With either provider you can put encryption keys, IAM bindings, and replication into the same program — and enforce safe defaults across the org with [Pulumi P…" → ✅ verified (evidence: The /docs/insights/policy/ URL resolves to a valid Pulumi documentation page titled "Policies" under Insights & Governance, which states: "Pulumi Policies enables you to implement policy as code across your entire cloud infrastructure. Y…; source: repo:content/docs/insights/policy/_index.md)
L214 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable wins for large sequential scans and very high sustained write throughput in terms of latency performance." → 🤷 unverifiable (evidence: Sources generally support Bigtable's strength in large-scale analytics and range scans, but no authoritative source directly frames Bigtable as "winning" for "large sequential scans and very high sustained write throughput in terms of late…; source: WebSearch ran query "Bigtable vs DynamoDB latency performance sequential scans write throughput"; top results didn't directly address the claim's exact framing. Google Cloud docs: https://cloud.google.com/bigtable/docs/performance; intuition: Google's own Bigtable docs note sequential scans increase tail latency due to lack of parallelism — the claim's asserti…)
L218 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Apache Cassandra offers a similar wide-column model to Bigtable and is a self-managed alternative for portability across clouds." → ✅ verified (evidence: Google's own documentation states "Both systems are classified as NoSQL wide-column stores," and Cassandra's official docs confirm it "implements a partitioned wide-column storage model" combining "Google's Bigtable data and storage engine…; source: https://cloud.google.com/bigtable/docs/cloud-bigtable-for-cassandra-users; https://cassandra.apache.org/doc/latest/cassandra/architecture/overview.html; https://leadwebpraxis.com/bigtable-or-cassandra/)
L218 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB is exclusive to AWS and Bigtable is exclusive to Google Cloud." → ✅ verified (evidence: The article's own at-a-glance comparison table lists "Cloud: AWS" for DynamoDB and "Cloud: Google Cloud" for Bigtable, and the intro states they are "NoSQL services from major cloud providers" — DynamoDB from AWS and Bigtable from Google C…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L222 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB supports ACID transactions across up to 100 items in a single request." → ✅ verified (evidence: The file itself states "DynamoDB supports ACID transactions across up to 100 items in one or more tables in a single request, including condition checks." AWS increased the DynamoDB transaction limit from 25 to 100 items per `TransactWrite…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md (L222 and table row); AWS DynamoDB TransactWriteItems documentation (100-item limit per transaction))
L222 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable only supports single-row atomic operations — there are no multi-row or multi-table transactions." → ✅ verified (evidence: The file itself states: "Bigtable supports single-row atomic operations — including read-modify-write and check-and-mutate — but does not offer cross-row or cross-table transactions." The at-a-glance table also confirms: "Transactions:…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
L226 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable does not have a free tier — every node accrues per-hour cost from the moment the cluster is created." → ✅ verified (evidence: The official Bigtable pricing page states "You are charged each hour for the maximum number of nodes that exist during that hour" and "Charges apply even if your cluster is inactive." Bigtable does not appear on Google Cloud's always-free…; source: https://cloud.google.com/bigtable/pricing)
L238 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB supports a subset of SQL through PartiQL." → ✅ verified (framing: strengthened — AWS describes PartiQL as "SQL-compatible" (broader); the claim narrows this to "a subset of SQL," which is a correct characterization of PartiQL…; evidence: The file itself lists "PartiQL" as part of DynamoDB's query interface in the at-a-glance table. AWS officially describes PartiQL as a "SQL-compatible query language" for DynamoDB, supporting SELECT, INSERT, UPDATE, and DELETE statements —…; source: content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md (at-a-glance table: "Query interface | DynamoDB API, PartiQL"))
L238 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable supports GoogleSQL (in preview) and is queryable from BigQuery via federation." → ❌ contradicted (framing: shifted — claim states GoogleSQL is "in preview" but it has been GA since at least August 2024; the BigQuery federation claim is correct and GA.; evidence: (escalated from pass1) GoogleSQL support for Bigtable is GA, not in preview. The official blog announced it in August 2024, and the release notes confirm GA status for multiple GoogleSQL features. The BigQuery federation part is accurate a…; source: https://cloud.google.com/blog/products/databases/announcing-sql-support-for-bigtable; https://cloud.google.com/blog/products/data-analytics/bigtable-bigquery-federation-brings-hot--cold-data-closer; https://docs.cloud.google.com/bigtable/docs/release-notes)
L238 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable is queryable from BigQuery via federation." → ✅ verified (evidence: (escalated from pass1) Google Cloud's official blog confirms: "with the General Availability of Bigtable federated queries with BigQuery, you can query data residing in Bigtable via BigQuery faster, without moving or copying the data." Thi…; source: https://cloud.google.com/blog/products/data-analytics/bigtable-bigquery-federation-brings-hot--cold-data-closer)
L242 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable supports backups stored in the same instance and import/export to Cloud Storage." → ❌ contradicted (framing: shifted — claim asserts Bigtable backups support "import/export to Cloud Storage"; source explicitly states the opposite: backups cannot be exported to Cloud S…; evidence: The official Bigtable backups docs explicitly state: "You cannot export, copy, or move a Bigtable backup to another service, such as Cloud Storage." The claim that Bigtable supports "import/export to Cloud Storage" for backups is directly…; source: https://docs.cloud.google.com/bigtable/docs/backups)
L246 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Existing HBase applications can typically point at Bigtable with minor configuration changes." → ❌ contradicted (framing: narrowed — claim broadens the HBase-compatible client library aspect to cover the full migration experience; sources show the broader migration requires signif…; evidence: (escalated from pass1) Google Cloud's official migration docs describe a multi-step process including schema translation, data export/import, authentication conversion to IAM, and API version updates. One doc states "you will need to updat…; source: https://docs.cloud.google.com/bigtable/docs/hbase-api-changes and https://docs.cloud.google.com/bigtable/docs/migrate-hbase-data-to-bigtable)
L246 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "The HBase API is specific to Bigtable; DynamoDB uses its own API (and PartiQL)." → ❌ contradicted (framing: shifted — the claim says HBase API is "specific to Bigtable" but HBase API is an open-source Apache standard that Bigtable supports for compatibility; it is no…; evidence: The HBase API is not specific to Bigtable — it originated with Apache HBase (an open-source project) and is supported by Bigtable for compatibility. The document's own comparison table lists Bigtable's query interface as "HBase API, Bigtab…; source: content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md (at-a-glance comparison table, Query interface row))
L250 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Pulumi gives teams a single way to provision DynamoDB on AWS or Bigtable on Google Cloud, using the same programming languages, the same review workflow, and t…" → ✅ verified (evidence: The file content/docs/get-started/_index.md exists and is a valid "Get Started with Pulumi" page, with aliases including /docs/get-started/ and /get-started/, confirming the link target /docs/get-started/ is a live, resolvable page.; source: repo:content/docs/get-started/_index.md)
L254 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "* Database Comparison: Cosmos DB vs DynamoDB" → ✅ verified (evidence: The file content/what-is/database-comparison-cosmos-db-vs-dynamodb.md exists with title: "Database Comparison: Cosmos DB vs DynamoDB" and page_title: "Database Comparison: Cosmos DB vs DynamoDB", exactly matching the link text and pa…; source: repo:content/what-is/database-comparison-cosmos-db-vs-dynamodb.md)
L255 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "* Cosmos DB vs MongoDB: Know the differences" → ✅ verified (evidence: The file content/what-is/cosmos-db-vs-mongodb-know-the-differences.md exists in the repo with the title "Cosmos DB vs MongoDB, Know The Differences", confirming the linked page at /what-is/cosmos-db-vs-mongodb-know-the-differences/ is…; source: repo:content/what-is/cosmos-db-vs-mongodb-know-the-differences.md)
L256-257 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "* Pulumi Google Cloud provider" → ✅ verified (evidence: The Pulumi registry repository contains a valid package entry at themes/default/content/registry/packages/gcp/_index.md, confirming that /registry/packages/gcp/ is a real, existing URL path for the Pulumi Google Cloud provider.; source: gh_query: gh api repos/pulumi/registry/contents/themes/default/content/registry/packages/gcp)
L3 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "Pulumi ESC issues short-lived, OIDC-issued credentials for running aws sts get-caller-identity without static IAM keys." → ✅ verified (evidence: The file's meta_desc at L3 reads: "Run aws sts get-caller-identity with short-lived, OIDC-issued credentials from Pulumi ESC. No static IAM keys, scoped by role, auditable in CloudTrail." — an exact match for the claim.; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L10 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "aws sts get-caller-identity returns the account, user ID, and ARN of the calling identity." → ✅ verified (evidence: The file at line 10 states: "aws sts get-caller-identity returns the account, user ID, and ARN of the calling identity." The document also shows the expected JSON output with UserId, Account, and Arn fields, confirming the claim.; source: content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L10 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "Pulumi ESC issues short-lived AWS credentials brokered over OIDC, instead of long-lived AKIA... keys in ~/.aws/credentials." → ➖ not-a-claim (evidence: The claim text is a verbatim description of the PR author's own guide/pipeline design, found at line 10 of the file itself: "This guide shows how to run aws sts get-caller-identity using short-lived AWS credentials brokered by Pulumi ESC…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L14 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "* Why dynamic credentials beat static IAM keys" → ➖ not-a-claim (evidence: The text "* Why dynamic credentials beat static IAM keys" is a bullet point in a document outline/table of contents — it is a section heading describing the PR author's own content design, not a falsifiable third-party assertion about a fa…; source: content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md L14)
L22 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "## Why dynamic credentials beat static IAM keys" → ➖ not-a-claim (evidence: The text "## Why dynamic credentials beat static IAM keys" is a markdown section heading in the PR author's own document. It is a descriptive label for the author's own content/design, not a falsifiable third-party-attributed assertion.; source: content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md L22)
L26 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "Pulumi ESC issues a fresh AccessKeyId, SecretAccessKey, and SessionToken on every esc run invocation." → ➖ not-a-claim (framing: strengthened — the claim is a faithful description of the PR author's own documented pipeline design, not a third-party-attributed assertion; evidence: The claim is a description of the PR author's own design/pipeline for Pulumi ESC's aws-login provider behavior. The file is the PR author's own content explaining how fn::open::aws-login works — it is not attributing a third-party clai…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L26 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "Pulumi ESC-issued credentials do not linger in ~/.aws/credentials." → ✅ verified (evidence: The file at L26 (within the "No long-lived secrets on disk" bullet) states: "Pulumi ESC issues a fresh AccessKeyId, SecretAccessKey, and SessionToken on every esc run. Nothing lingers in ~/.aws/credentials." This is an exact matc…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L28 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "ESC-issued AWS sessions expire after the duration configured in the ESC environment, with a default of 1 hour." → 🤷 unverifiable (evidence: All Pulumi ESC documentation examples show duration: 1h as an explicitly configured value in the aws-login OIDC block, but no authoritative source states that 1 hour is the default when duration is omitted. The aws-login provider docs…; source: WebSearch ran query "Pulumi ESC aws-login OIDC duration default value documentation"; https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/aws-login/; intuition: The claim frames duration: 1h as a system default, but docs only show it as an explicitly set example value — the act…)
L29 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "CloudTrail records ESC-issued credential calls under the assumed-role ARN, with sessionName from the ESC environment." → ➖ not-a-claim (evidence: The statement at L29 ("CloudTrail records the call under the assumed-role ARN, with sessionName from the ESC environment") is the PR author's own description of their pipeline's auditing behavior, illustrated by the CloudTrail JSON examp…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L35 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "* The Pulumi CLI and Pulumi ESC CLI installed" → ✅ verified (evidence: The file at line 35 contains exactly "The Pulumi CLI and Pulumi ESC CLI installed", and content/docs/install/_index.md confirms /docs/install/ is a valid page for downloading and installing the P…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md and repo:content/docs/install/_index.md)
L36 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "* A Pulumi Cloud account and access to an organization" → ➖ not-a-claim (evidence: The "claim" is a hyperlink reference to https://app.pulumi.com/signup, which is a well-known Pulumi signup URL used throughout documentation. This is a standard doc link/navigation element, not a falsifiable factual assertion about Pulumi'…; source: content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md L36)
L37 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "* The AWS CLI v2 installed locally" → ✅ verified (evidence: The URL https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html resolves to the official AWS page titled "Installing or updating to the latest version of the AWS CLI," which covers AWS CLI v2 installation. The page co…; source: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
L38 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "* An IAM role with OIDC trust configured for Pulumi (see Configuring OIDC between Pulumi and AWS)" → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L40 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "For aws sts get-caller-identity, the IAM role needs no managed policies — STS GetCallerIdentity is allowed for any authenticated principal." → ✅ verified (evidence: The file at L40 states verbatim: "For aws sts get-caller-identity specifically, the IAM role needs no managed policies — STS get-caller-identity is allowed for any authenticated principal." The FAQ section further confirms: "AWS expl…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L50 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "Follow the browser prompt or paste an access token from https://app.pulumi.com/account/tokens." → ➖ not-a-claim (evidence: The text is a UI instruction directing users to a well-known Pulumi console URL (app.pulumi.com/account/tokens) to obtain an access token. This is a standard navigation instruction, not a falsifiable factual assertion about a third-party s…; source: content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md L50)
L54 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "The Pulumi OIDC + AWS guide creates an IAM role whose trust policy accepts a JWT from api.pulumi.com/oidc." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L56 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "### 3. Create a new Pulumi ESC environment" → ➖ not-a-claim (evidence: The text "### 3. Create a new Pulumi ESC environment" is a section heading/step label in a how-to document. It is not a falsifiable assertion about any fact, version, capability, or temporal state — it is purely structural/navigational con…; source: content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md L56)
L58 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "In Pulumi Cloud, open your organization, click Environments, then Create environment. Name it something like aws-prod-env." → ➖ not-a-claim (evidence: The "claim" is a UI navigation instruction referencing https://app.pulumi.com/ as a hyperlink anchor, not a falsifiable factual assertion. The URL is simply used to link to the Pulumi Cloud login page, and the instruction describes the PR…; source: content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md L58)
L79 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "The fn::open::aws-login function exchanges the Pulumi-issued OIDC token for AWS STS credentials." → ✅ verified (evidence: The official Pulumi ESC aws-login provider docs (pulumi/pulumi-hugo) state: "The aws-login provider enables you to log in to your AWS account using OpenID Connect or by providing static credentials. The provider will return a set of cr…; source: gh api repos/pulumi/pulumi-hugo/contents/themes/default/content/docs/esc/providers/aws-login.md)
L79 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "The environmentVariables block in a Pulumi ESC environment exposes credentials to any subprocess started by esc run." → ✅ verified (evidence: The file at line ~79 states verbatim: "The environmentVariables block exposes them to any subprocess started by esc run." — an exact match to the claim.; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L101 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "'Arn': 'arn:aws:sts::123456789012:assumed-role/pulumi-esc-role/pulumi-environments-session'" → ➖ not-a-claim (evidence: The ARN arn:aws:sts::123456789012:assumed-role/pulumi-esc-role/pulumi-environments-session is a placeholder example in the PR author's own documentation, using the standard AWS docs placeholder account ID 123456789012, the role name `p…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L109 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "The session name in the aws sts get-caller-identity response (pulumi-environments-session) matches the sessionName field in the ESC YAML configuration." → ✅ verified (evidence: The file explicitly states at the relevant line: "The session name (pulumi-environments-session) matches the sessionName field in your YAML — useful for filtering CloudTrail." The ESC YAML sets `sessionName: pulumi-environments-ses…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L113 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "Within approximately 5 minutes, an aws sts get-caller-identity call appears in CloudTrail with eventName=GetCallerIdentity." → ✅ verified (framing: strengthened — claim says "approximately 5 minutes"; source says "typically within 5 minutes of an API call" — the claim's framing is a valid paraphrase of the…; evidence: AWS official documentation and FAQs confirm: "Typically, CloudTrail delivers an event within 5 minutes of the API call." The ~5-minute figure is consistent across AWS docs and the AWS CloudTrail FAQs. The eventName=GetCallerIdentity fiel…; source: https://aws.amazon.com/cloudtrail/faqs/ and https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html)
L119 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "'arn': 'arn:aws:sts::123456789012:assumed-role/pulumi-esc-role/pulumi-environments-session'," → ➖ not-a-claim (evidence: The line is part of an illustrative CloudTrail JSON example block in the documentation, using the standard AWS placeholder account ID 123456789012 and example role/session names. It is example output showing what a real response would lo…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L123 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "'arn': 'arn:aws:iam::123456789012:role/pulumi-esc-role'" → ➖ not-a-claim (evidence: The string "arn": "arn:aws:iam::123456789012:role/pulumi-esc-role" appears in the file's CloudTrail example JSON block as a documentation placeholder using the well-known AWS example account ID 123456789012. It is a fictional/illustrat…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L136 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "The default session duration for ESC-issued AWS credentials is 1 hour, and re-running the command requests fresh credentials each invocation." → ✅ verified (evidence: The file at L136 (Common errors table) states for ExpiredToken: "Session exceeded duration (default 1h)" and "Re-run the command; esc run requests fresh credentials each invocation." The "Why dynamic credentials beat static IAM keys"…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L137 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "The OIDC trust policy audience must match api.pulumi.com for Pulumi ESC OIDC to work with AWS." → ✅ verified (evidence: The file itself at L137 (Common errors table) states: "Check roleArn, the trust policy's sub claim, and that the audience matches api.pulumi.com" as the fix for an AccessDenied on AssumeRoleWithWebIdentity error due to "OIDC trust…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L145 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "AWS explicitly allows any authenticated principal to call GetCallerIdentity, regardless of attached IAM policies." → ✅ verified (framing: strengthened — claim frames this as AWS "explicitly allowing" any authenticated principal regardless of IAM policies; the source's broader statement ("no permi…; evidence: AWS official STS API documentation states: "No permissions are required to perform this operation. If an administrator attaches a policy to your identity that explicitly denies access to the sts:GetCallerIdentity action, you can still perf…; source: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html)
L149 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "The assumed-role/<role-name>/<session-name> ARN format is how STS reports any principal that arrived via AssumeRole, AssumeRoleWithWebIdentity, or Assum…" → ✅ verified (evidence: The file at L149 contains the exact FAQ answer: "The assumed-role//format is how STS reports any principal that arrived viaAssumeRole, AssumeRoleWithWebIdentity, or AssumeRoleWithSAML` — including OIDC ses…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L153 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "The maximum session duration for ESC-issued AWS credentials is bounded by the IAM role's MaxSessionDuration attribute, up to 12 hours for role chaining." → ❌ contradicted (framing: shifted — claim states role chaining allows "up to 12 hours" bounded by MaxSessionDuration, but AWS docs state role chaining is hard-limited to 1 hour regardle…; evidence: AWS documentation explicitly states: "Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour." The 12-hour MaxSessionDuration applies only when an IAM user (not a role) directly assumes a role — not in role-chai…; source: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
L157 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "The Pulumi GitHub Action, GitLab integration, and esc open / esc run in any CI runner all support using ESC-issued dynamic credentials instead of static A…" → ✅ verified (framing: strengthened — the cited blog /blog/esc-env-run-aws/ covers only esc runfor dynamic AWS credentials; the claim broadens to include the GitHub Action, GitLab…; evidence: Official Pulumi docs confirm all three components: the ESC GitHub Action supports dynamic credentials instead of static AWS_* secrets; GitLab CI is explicitly shown usingesc run` ("# GitLab CI script: - esc run my-org/my-project/prod --…; source: https://www.pulumi.com/docs/esc/guides/running-commands-with-esc/ and https://www.pulumi.com/docs/esc/integrations/dev-tools/github/)
L161 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "Inside esc run, the access_key value reported by aws configure list will show Type=env, indicating it came from environment variables injected by ESC." → ✅ verified (framing: strengthened — the source shows env as the TYPE label for environment-variable-sourced values generally; the claim narrows this to the specific access_key…; evidence: (escalated from pass1) The AWS CLI aws configure list command shows a TYPE column that reports env when a value is sourced from an environment variable. The official docs example shows region : us-west-2 : env : AWS_DEFAULT_REGION, a…; source: https://docs.aws.amazon.com/cli/latest/reference/configure/list.html)
L165 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "For OIDC AssumeRoleWithWebIdentity, Pulumi ESC uses the regional STS endpoint matching AWS_REGION if set, otherwise the global endpoint." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)

github-actions · 2026-05-20T17:01:47Z

continued from previous comment

L165 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "aws sts get-caller-identity does not require an active region to be set." → ✅ verified (framing: strengthened — the file's error table implies region is optional (global endpoint works); the claim states this as a positive behavior fact; evidence: The file's error table notes that for RegionDisabledException, the fix is to "Use the global STS endpoint or enable the region in the AWS console," implying get-caller-identity can operate via the global STS endpoint without a region.…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L169 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "aws sts get-caller-identity works for any principal type (user, role, assumed-role session) and needs no permissions." → ✅ verified (evidence: The file explicitly states: "None. AWS explicitly allows any authenticated principal to call GetCallerIdentity, regardless of attached IAM policies." It also explains the command works for any principal type: "The `assumed-role/<role-nam…; source: repo:content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L169 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "iam get-user only works for IAM users, requires the iam:GetUser permission, and fails when the caller is a role session." → ✅ verified (evidence: The document explicitly contrasts sts get-caller-identity (works for any authenticated principal, no IAM permissions required) with iam get-user, which is standard AWS behavior: GetUser only applies to IAM users, requires the `iam:Ge…; source: content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md)
L173-179 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "The cross-reference target /what-is/run-aws-iam-list-users-with-dynamic-credentials/ exists as a page on the Pulumi site." → ✅ verified (evidence: The file content/what-is/run-aws-iam-list-users-with-dynamic-credentials.md exists in the repository with a matching title "Run 'aws iam list-users' using Dynamic Credentials", confirming the cross-reference target `/what-is/run-aws-iam-…; source: repo:content/what-is/run-aws-iam-list-users-with-dynamic-credentials.md)
L175-177 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "* Resolve Unable to locate credentials" → ✅ verified (evidence: The file content/what-is/resolve-unable-to-locate-credentials.md exists in the repo with title: Unable to locate credentials, confirming the linked page /what-is/resolve-unable-to-locate-credentials/ is a valid, existing target.; source: repo:content/what-is/resolve-unable-to-locate-credentials.md)
L178-179 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "* Run aws iam list-users with dynamic credentials" → ✅ verified (evidence: The file content/what-is/run-aws-iam-list-users-with-dynamic-credentials.md exists in the repo with title: Run 'aws iam list-users' using Dynamic Credentials, confirming the linked page and its subject matter are valid.; source: repo:content/what-is/run-aws-iam-list-users-with-dynamic-credentials.md)
L181 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "Join our community on Slack to discuss further, and let us know what you build." → ✅ verified (evidence: The URL https://slack.pulumi.com/ is confirmed as Pulumi's official community Slack link, appearing in multiple authoritative Pulumi repositories including pulumi/pulumi README and CONTRIBUTING files (e.g., "Join us in Pulumi Community Sla…; source: gh search code --owner pulumi "slack.pulumi.com" --language markdown)
L4 in content/what-is/what-is-platform-engineering.md "Platform engineering builds an internal developer platform that gives product teams self-service infrastructure on golden paths with built-in guardrails." → ✅ verified (evidence: The file's front matter at line 4 contains exactly: meta_desc: "Platform engineering builds an internal developer platform that gives product teams self-service infrastructure on golden paths with built-in guardrails." — a verbatim match…; source: repo:content/what-is/what-is-platform-engineering.md)
L8 in content/what-is/what-is-platform-engineering.md "lastmod: 2026-05-20" → ➖ not-a-claim (evidence: The lastmod front-matter field is a metadata date tag set by the PR author to record when the file was last modified. It is not a falsifiable factual assertion about the external world — it is the author's own declaration of the modifica…; source: repo:content/what-is/what-is-platform-engineering.md L8)
L41 in content/what-is/what-is-platform-engineering.md "In its 2022 Hype Cycle for Software Engineering, Gartner reported that 45% of large software engineering organizations had established platform teams as intern…" → ✅ verified (framing: strengthened — the claim frames the 45% as a past finding ("had established... as of 2022"), which matches Gartner's own framing of 45% as the 2022 baseline; s…; evidence: Multiple Gartner public pages confirm the 45% figure as a 2022 baseline: "by 2026, 80% of large software engineering organizations will establish platform engineering teams as internal providers of reusable services, components and tools f…; source: https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering)
L47 in content/what-is/what-is-platform-engineering.md "An internal developer platform (IDP) is the product the platform team ships to its developers. It is the unified surface through which developers self-serv…" → ✅ verified (evidence: The file content/what-is/what-is-infrastructure-as-code.md exists in the repo and is a substantive page about infrastructure as code, confirming the internal link /what-is/what-is-infrastructure-as-code/ is valid.; source: repo:content/what-is/what-is-infrastructure-as-code.md)
L49 in content/what-is/what-is-platform-engineering.md "A golden path is sometimes called a 'paved road' in platform engineering practice." → ✅ verified (evidence: The file at L49 (within the "What is an internal developer platform" section) states: "A golden path (sometimes called a paved road) is an opinionated, well-supported route through the platform for a common task." This directly confi…; source: repo:content/what-is/what-is-platform-engineering.md)
L60 in content/what-is/what-is-platform-engineering.md "* Building shared infrastructure components. Authoring reusable infrastructure as code modules, secure-by-defau…" → ✅ verified (evidence: The file content/what-is/what-is-infrastructure-as-code.md exists in the repo and is a valid page titled "What is Infrastructure as Code (IaC)?", confirming the internal link /what-is/what-is-infrastructure-as-code/ is a live, valid ta…; source: repo:content/what-is/what-is-infrastructure-as-code.md)
L62 in content/what-is/what-is-platform-engineering.md "* Embedding guardrails. Codifying security, compliance, and cost policies (via Pulumi Policies or similar) so they are enforced a…" → ✅ verified (evidence: The /docs/insights/policy/ page exists and directly covers security, compliance, and cost policies enforced automatically: "Pulumi Policies enables you to implement policy as code across your entire cloud infrastructure... These codified…; source: repo:content/docs/insights/policy/_index.md)
L69 in content/what-is/what-is-platform-engineering.md "Platform engineering, DevOps, and site reliability engineering (SRE) all aim to make software delivery faster and more reliable, bu…" → ✅ verified (evidence: The file content/what-is/what-is-devops.md exists in the repo and is a valid page at /what-is/what-is-devops/, confirming the internal link target referenced in the claim is live and correct.; source: repo:content/what-is/what-is-devops.md)
L97 in content/what-is/what-is-platform-engineering.md "1. Define your first golden path. Pick the single most common developer workflow (for example, 'stand up a new service in production') and pave it end to e…" → ➖ not-a-claim (evidence: The text at L97 is editorial advice authored by the PR author themselves ("Define your first golden path. Pick the single most common developer workflow...") — it is a prescriptive recommendation in the author's own "getting started" guide…; source: repo:content/what-is/what-is-platform-engineering.md)
L98 in content/what-is/what-is-platform-engineering.md "1. Build on reusable IaC components. Package your golden path as IaC modules, templates, and policies that developers consume rather than copy. Pulumi supp…" → ✅ verified (evidence: The file content/docs/iac/concepts/components/_index.md exists at the path /docs/iac/concepts/components/ and covers reusable Pulumi component resources, confirming the link target is valid. The page describes components as "logical gr…; source: repo:content/docs/iac/concepts/components/_index.md)
L100 in content/what-is/what-is-platform-engineering.md "The CNCF Platform Engineering Maturity Model defines five capability areas (investment, adoption, interfaces, operations, measurement) across four stages (prov…" → ✅ verified (evidence: Multiple authoritative CNCF sources confirm the exact structure. The CNCF TAG App Delivery blog states: "the platform engineering maturity model presents five IDP aspects (investment, adoption, interfaces, operations, measurement), each de…; source: https://tag-app-delivery.cncf.io/blog/enterprise-idp-maturity-hack/ and https://www.cncf.io/blog/2024/01/03/platform-engineering-maturity-at-kubecon-cloudnativecon-na-2023/)
L102 in content/what-is/what-is-platform-engineering.md "The Team Topologies framework is widely adopted in platform engineering practice and frames the platform team as a dedicated topology that exists to reduce the…" → ✅ verified (framing: strengthened — claim adds "widely adopted in platform engineering practice" and "dedicated topology" framing; source's broader statements prove the cognitive-l…; evidence: The official Team Topologies website (teamtopologies.com) states: "A crucial insight of Team Topologies is that the primary benefit of a platform is to reduce the cognitive load on stream-aligned teams." IT Revolution (the publisher) also…; source: https://teamtopologies.com/ and https://itrevolution.com/articles/four-team-types/)
L118 in content/what-is/what-is-platform-engineering.md "AI coding assistants let application developers generate infrastructure faster than ever, meaning platform teams are now responsible for guardrails over a much…" → ➖ not-a-claim (evidence: The statement is an editorial/opinion assertion about a general industry trend (AI coding assistants enabling faster infra generation → more guardrail responsibility for platform teams). It contains no specific cited source, numerical figu…; source: content/what-is/what-is-platform-engineering.md)
L119 in content/what-is/what-is-platform-engineering.md "* AI agents as a new class of platform consumer. Human developers are no longer the only callers of the platform's APIs. Coding agents, deployment agents,…" → ➖ not-a-claim (evidence: The text at L119 is the PR author's own editorial description of an industry trend ("AI agents as a new class of platform consumer") within a "what is platform engineering" explainer article. It is a faithful description of the author's ow…; source: repo:content/what-is/what-is-platform-engineering.md)
L120 in content/what-is/what-is-platform-engineering.md "* AI as a force multiplier for platform engineers themselves. Routine platform work (writing new IaC modules, diagnosing failed deployments, reconciling dr…" → ➖ not-a-claim (evidence: The text is an editorial/opinion statement about industry trends — that routine platform work "is increasingly automatable" and that AI acts as a "force multiplier" for platform engineers. This is a descriptive assertion about general indu…; source: repo:content/what-is/what-is-platform-engineering.md)
L122 in content/what-is/what-is-platform-engineering.md "Pulumi Neo is described as a purpose-built AI infrastructure agent that works inside a platform team's existing Pulumi setup, enforces policy as code, and take…" → ✅ verified (framing: strengthened — claim narrows the source's broad "execute, govern, and optimize" framing to specific capabilities (provisioning, debugging, remediation, policy-…; evidence: The /product/neo/ page (content/product/neo.md) describes Neo as "the industry's first AI agent built from the ground up to execute, govern, and optimize complex cloud automation at enterprise scale," that "works within your existing Pul…; source: repo:content/product/neo.md)
L148 in content/what-is/what-is-platform-engineering.md "A typical platform stack combines infrastructure as code (such as Pulumi), a container orchestrator (commonly Kubernetes), a CI/CD system, a secrets and config…" → ➖ not-a-claim (evidence: The statement describes the PR author's own characterization of what a "typical platform stack" combines — it is the author's editorial framing of the platform engineering landscape, not a third-party-attributed factual assertion. The sour…; source: content/what-is/what-is-platform-engineering.md)
L152 in content/what-is/what-is-platform-engineering.md "Adoption and lead-time metrics tend to be more useful than infrastructure metrics. Common ones: the percentage of services on the golden path, the time from a…" → ➖ not-a-claim (evidence: The text at L152 describes the PR author's own editorial content about platform engineering metrics (adoption and lead-time metrics, golden path percentages, etc.) — it is the author's own design/writing for the article, not a third-party-…; source: repo:content/what-is/what-is-platform-engineering.md)
L156 in content/what-is/what-is-platform-engineering.md "Backstage is an open-source developer portal originally from Spotify, described as highly extensible but operationally heavy." → ✅ verified (framing: strengthened — the claim's "operationally heavy" descriptor is an editorial characterization not present verbatim in official Backstage docs, but is consistent…; evidence: Backstage is confirmed as an open-source developer portal originally created by Spotify — "Backstage was created by Spotify but is now hosted by the Cloud Native Computing Foundation (CNCF)." Its extensibility is well-documented (plugin ar…; source: https://github.com/backstage/backstage; https://platformengineering.org/tools/backstage-io-spotify)
L164 in content/what-is/what-is-platform-engineering.md "The Pulumi Automation API enables embedding IaC inside an IDP or portal." → ✅ verified (evidence: Pulumi's official blog explicitly states: "Many of our customers are building their own developer portals on top of Pulumi Automation API and Pulumi Deployments." The Automation API blog also confirms it enables "building internal and publ…; source: https://www.pulumi.com/blog/building-developer-portals/ and https://www.pulumi.com/blog/automation-api/)
L164 in content/what-is/what-is-platform-engineering.md "Pulumi Insights provides cross-cloud search and analytics." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L164 in content/what-is/what-is-platform-engineering.md "Pulumi is described as 'the IaC layer for many production internal platforms.'" → 🤷 unverifiable (evidence: The exact phrase "IaC layer for many production internal platforms" does not appear in any Pulumi official source found. Pulumi's own docs and blog describe it as a platform for building IDPs and as a universal IaC platform, but not with t…; source: WebSearch ran query "Pulumi 'IaC layer for many production internal platforms' site:pulumi.com"; top results didn't address the claim; intuition: The quoted phrase reads like editorial/marketing copy that may have been paraphrased or invented by the PR author rathe…)
L164 in content/what-is/what-is-platform-engineering.md "Pulumi gives platform teams general-purpose languages for IaC including TypeScript, Python, Go, C#, and Java." → ✅ verified (framing: strengthened — claim narrows the full list (TypeScript, JavaScript, Python, Go, .NET, Java, YAML) to a subset (TypeScript, Python, Go, C#, Java); source's broa…; evidence: The Pulumi Languages & SDKs docs page confirms: "Pulumi supports TypeScript, JavaScript, Python, Go, .NET, Java, and YAML." The claim lists TypeScript, Python, Go, C#, and Java — all of which are in the supported set (C# is part of .NET).…; source: repo:content/docs/iac/languages-sdks/_index.md)
L172 in content/what-is/what-is-platform-engineering.md "Elkjøp Nordic built an infrastructure platform application that enabled developers to provision infrastructure running on Kubernetes in Azure." → ✅ verified (evidence: The Pulumi "What is Platform Engineering" page states: "They accomplished this by building an infrastructure platform application that enabled developers to provision infrastructure running on Kubernetes in Azure." — an exact match to the…; source: https://www.pulumi.com/what-is/what-is-platform-engineering/)
L172 in content/what-is/what-is-platform-engineering.md "Elkjøp Nordic is the leading consumer electronics retailer in the Nordics." → ✅ verified (evidence: Elkjøp's own website states: "Elkjøp is the leading consumer electronics retailer in the Nordics." Multiple independent sources (Wikipedia, LinkedIn, econsultancy.com) corroborate this as the largest/leading consumer electronics retailer i…; source: https://www.elkjopnordic.com/what-we-do)
L188 in content/what-is/what-is-platform-engineering.md "Pulumi supports integration with internal developer portals like AWS Proton and Backstage." → ✅ verified (evidence: Pulumi's own blog and docs confirm both integrations: "partners like AWS Proton and Port have built integrations with Pulumi to enable self-service scenarios" and the Pulumi Backstage Plugin enables organizations to integrate Pulumi direct…; source: https://www.pulumi.com/blog/building-developer-portals/ and https://www.pulumi.com/docs/idp/concepts/backstage-plugin/)
L188 in content/what-is/what-is-platform-engineering.md "Pulumi's core IaC tool supports the languages TypeScript, Python, Go, C#, Java, and YAML." → ✅ verified (framing: strengthened — claim narrows the full list (which also includes JavaScript and broader .NET) to a subset; source's broader form proves all listed languages are…; evidence: Official Pulumi docs state "Pulumi supports TypeScript, JavaScript, Python, Go, .NET, Java, and YAML." The claim lists TypeScript, Python, Go, C#, Java, and YAML — all of which are confirmed supported languages (C# is part of .NET). The cl…; source: https://www.pulumi.com/docs/iac/languages-sdks/)
L189 in content/what-is/what-is-platform-engineering.md "The Pulumi Automation API makes it possible to embed IaC inside application software, enabling reusable infrastructure workflows." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L190 in content/what-is/what-is-platform-engineering.md "Pulumi Insights adds search, analytics, and AI over Pulumi Cloud for actionable knowledge on cloud usage and cost optimization." → ❌ contradicted (framing: shifted — claim describes "analytics" and "cost optimization" as core features, but the current product page focuses on compliance, governance, policy enforcem…; evidence: The /product/pulumi-insights/ URL is an alias for insights-governance.md, which describes Pulumi Insights & Governance as focused on compliance auditing, policy enforcement, and AI-powered remediation — not "analytics" or "cost optimiz…; source: repo:content/product/insights-governance.md (aliased as /product/pulumi-insights/); repo:content/product/_index.md)
L191 in content/what-is/what-is-platform-engineering.md "Pulumi Policies provides policy-based controls including remediation of policy violations, using the same general-purpose languages Pulumi IaC supports." → ❌ contradicted (framing: shifted — claim asserts "remediation of policy violations" and "same general-purpose languages Pulumi IaC supports"; source describes preventative/audit enforc…; evidence: The /docs/insights/policy/ page does not describe "remediation of policy violations" as a Pulumi Policies feature — enforcement modes are "Preventative" (blocking) and "Audit" (scanning). Additionally, the page states policies are writte…; source: repo:content/docs/insights/policy/_index.md)
L194 in content/what-is/what-is-platform-engineering.md "Pulumi offers a modern, flexible approach to the needs of platform engineering teams. Request a demo of Pulumi, or [get started using Pul…" → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L198-203 in content/what-is/what-is-platform-engineering.md "* What is Infrastructure as Code (IaC)?" → ✅ verified (evidence: The file content/what-is/what-is-infrastructure-as-code.md exists with the title "What is Infrastructure as Code (IaC)?", exactly matching the link text and path referenced in the claim.; source: repo:content/what-is/what-is-infrastructure-as-code.md)

🚨 Outstanding in this PR

These must be resolved or refuted before merging.

[L103] content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md — "Both DynamoDB and Bigtable target single-digit-millisecond p99 latency for well-designed workloads." — verdict: contradicted; framing: narrowed — Bigtable explicitly publishes p99 single-digit-ms; AWS describes DynamoDB as "consistent single-digit millisecond performance" (a typical-case framing, not p99). Asserting p99 for both overclaims DynamoDB. Recommend rewriting the lede so the two services aren't promised the same latency tier, and dropping the same p99 claim from FAQ §L214:
```
Both services target single-digit-millisecond latency for well-designed workloads — Bigtable publishes this as p99, DynamoDB as consistent typical performance — but the operational profile differs.
```
Sources: https://cloud.google.com/blog/products/databases/new-features-for-cloud-bigtable-observability/, https://aws.amazon.com/blogs/database/how-global-payments-inc-improved-their-tail-latency-using-request-hedging-with-amazon-dynamodb/, https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/TroubleshootingLatency.html
[L139] content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md — "Bigtable supports backups stored in the same instance and import/export to Cloud Storage." — verdict: contradicted; framing: shifted — Google's docs explicitly state "You cannot export, copy, or move a Bigtable backup to another service, such as Cloud Storage." Backups live in-cluster; the Cloud-Storage import/export is a separate table-level feature. Phrasing them as a single capability misleads readers planning a backup strategy. Rewrite the table cell so the two features read as distinct:
```
| Backup and restore | PITR (35 days), on-demand backups | Backups (stored in-cluster); table import/export to Cloud Storage |
```
Source: https://docs.cloud.google.com/bigtable/docs/backups
[L154] content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md — "Dataflow is the standard way to land streaming data into Bigtable tables." — verdict: contradicted; framing: narrowed — "the standard way" overstates one option among several. Google's docs also document Pub/Sub Bigtable subscriptions (Preview) for direct streaming, and Bigtable change streams as another integration point. Soften to "a common way" so the next reader doesn't dismiss the alternatives:
```
DynamoDB sits at the center of serverless AWS architectures, with Lambda triggers via DynamoDB Streams and tight integration with AppSync. Bigtable plugs into Google's analytics stack — BigQuery can query Bigtable directly, and Dataflow is a common way to land streaming data into Bigtable tables (Pub/Sub Bigtable subscriptions are another option, currently in preview).
```
Source: https://docs.cloud.google.com/bigtable/docs/import-export
[L238] content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md — "Bigtable supports GoogleSQL (in preview) and is queryable from BigQuery via federation." — verdict: contradicted; framing: shifted — GoogleSQL for Bigtable went GA in August 2024 per Google's announcement and release notes. Drop "(in preview)" here and in the at-a-glance Query-interface row at L53 (HBase API, Bigtable client libraries, GoogleSQL (preview)):
```
DynamoDB supports a subset of SQL through PartiQL. Bigtable supports GoogleSQL and is also queryable from BigQuery via federation. Neither replaces a relational database — both are NoSQL stores where the query model is shaped around the key design, not arbitrary SQL.
```
Sources: https://cloud.google.com/blog/products/databases/announcing-sql-support-for-bigtable, https://docs.cloud.google.com/bigtable/docs/release-notes
[L242] content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md — "Bigtable supports backups stored in the same instance and import/export to Cloud Storage." — verdict: contradicted; framing: shifted — same conflation as [L139]. A reader will scan this FAQ answer and conclude Bigtable backups can be exported to Cloud Storage, which the docs explicitly disallow. Separate the two concepts:
```
Yes. DynamoDB supports point-in-time recovery (PITR) for 35 days and on-demand backups. Bigtable supports backups stored in-cluster (not exportable); a separate table-level import/export feature can move data to or from Cloud Storage.
```
Source: https://docs.cloud.google.com/bigtable/docs/backups
[L246] content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md — "Existing HBase applications can typically point at Bigtable with minor configuration changes." — verdict: contradicted; framing: narrowed — Google's own migration docs describe a multi-step process (schema translation, data export/import, IAM conversion, API-version updates). The HBase-compatible client library narrows the code changes to "minor", but full data migration is not. Scope the claim to client code:
```
No. The HBase API is an open-source Apache standard that Bigtable supports for compatibility; DynamoDB uses its own API (and PartiQL). For existing HBase applications, the client code typically needs only minor configuration changes to point at Bigtable, but a full migration also requires schema translation, data export/import, and switching authentication to IAM.
```
Sources: https://docs.cloud.google.com/bigtable/docs/hbase-api-changes, https://docs.cloud.google.com/bigtable/docs/migrate-hbase-data-to-bigtable
[L246] content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md — "The HBase API is specific to Bigtable; DynamoDB uses its own API (and PartiQL)." — verdict: contradicted; framing: shifted — HBase API originated with Apache HBase (the open-source project); Bigtable supports it for compatibility. The article's own comparison table at L53 even credits "HBase API" to Bigtable in the Bigtable column. Saying it's "specific to Bigtable" is technically incorrect and contradicts the rewrite in the [L246] block above. Both sentences are in the same FAQ — the rewrite above covers this fix; ensure "HBase API is an open-source Apache standard that Bigtable supports" replaces the "specific to Bigtable" framing.
Source: https://hbase.apache.org/
[L153] content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md — "The maximum session duration for ESC-issued AWS credentials is bounded by the IAM role's MaxSessionDuration attribute, up to 12 hours for role chaining." — verdict: contradicted; framing: shifted — AWS docs state role chaining is hard-capped at 1 hour, regardless of MaxSessionDuration. The 12-hour cap applies when an IAM user directly assumes a role, not when one role assumes another. This is exactly backwards in the current copy and will mislead a reader sizing session lifetimes for CI. Rewrite:
```
By default, 1 hour, controlled by the `duration` field in the ESC environment. The maximum is bounded by the IAM role's `MaxSessionDuration` attribute (up to 12 hours). Sessions obtained via `AssumeRoleWithWebIdentity` (the OIDC path Pulumi ESC uses) honor `MaxSessionDuration`; role *chaining* (one role assuming another) is hard-capped at 1 hour regardless of `MaxSessionDuration`.
```
Source: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
[L190] content/what-is/what-is-platform-engineering.md — "Pulumi Insights adds search, analytics, and AI over Pulumi Cloud for actionable knowledge on cloud usage and cost optimization." — verdict: contradicted; framing: shifted — the /product/pulumi-insights/ URL now aliases the Insights & Governance page, which the in-repo content describes as compliance auditing, policy enforcement, and AI-powered remediation. "Search, analytics, AI for cost optimization" is the older positioning. Re-align with the current product framing:
```
1. *Monitoring and logging* provides full visibility on everything through support for leading monitoring and logging solutions. [Pulumi Insights & Governance](/product/pulumi-insights/) adds cross-cloud search, AI-assisted policy enforcement, and automated remediation over [Pulumi Cloud](/product/pulumi-cloud/).
```
The same product-currency issue appears in the FAQ at L164 ("[Pulumi Insights] for cross-cloud search and analytics") — please reconcile both call-outs.
Source: https://github.com/pulumi/docs/blob/master/content/product/insights-governance.md
[L191] content/what-is/what-is-platform-engineering.md — "Pulumi Policies provides policy-based controls including remediation of policy violations, using the same general-purpose languages Pulumi IaC supports." — verdict: contradicted; framing: shifted — /docs/insights/policy/ describes enforcement modes as Preventative (blocking) and Audit (scanning); "remediation" is not a documented feature of Pulumi Policies itself (remediation lives in the Insights & Governance product framing). Rewrite to match:
```
1. *Security and identity* ensures security is foundational. [Pulumi Policies](/docs/insights/policy/) provides policy-as-code controls with both preventative (blocking) and audit (scanning) enforcement modes, written in the same general-purpose languages Pulumi IaC supports. [Pulumi ESC](/product/esc/) provides centralized access to secrets and configuration.
```
Source: https://github.com/pulumi/docs/blob/master/content/docs/insights/policy/_index.md

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

[L214] content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md — "Bigtable wins for large sequential scans and very high sustained write throughput in terms of latency performance." — verdict: unverifiable; evidence: workload-fit framing is defensible but the phrase "in terms of latency performance" muddles the claim — Bigtable's own docs note sequential scans can raise tail latency due to lack of parallelism. Reframe as throughput/access-pattern fit (which it already is in the prose above) rather than latency. Authoring buffer: confirm the intended claim is "Bigtable wins for sequential-scan throughput and sustained writes" (not a latency-tier statement) and tighten the sentence accordingly. Also retire the "p99" framing here so this FAQ is consistent with the [L103] fix.
Source: https://cloud.google.com/bigtable/docs/performance
[L28] content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md — "ESC-issued AWS sessions expire after the duration configured in the ESC environment, with a default of 1 hour." — verdict: unverifiable; evidence: Pulumi ESC aws-login docs show duration: 1h as an example value, not a documented behavior when the field is omitted. The same "default 1h" assertion also appears in the L136 troubleshooting table and L153 FAQ — they should all agree. Author question: Is duration: 1h the implicit default if the field is omitted from aws-login, or is the field effectively required? If the latter, drop "default" from this page and rephrase as "1 hour in the example, set by duration".
Source: https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/aws-login/
[L38] content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md — " An IAM role with OIDC trust configured for Pulumi (see Configuring OIDC between Pulumi and AWS)"* — verdict: unverifiable; evidence: verifier ran out of turns before resolving the link target. Author check: confirm /docs/esc/environments/configuring-oidc/aws/ is the canonical URL — a quick make serve + click-through is enough. The same link appears in the Learn-more list at L174; if one path needs to change, both do.
[L54] content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md — "The Pulumi OIDC + AWS guide creates an IAM role whose trust policy accepts a JWT from api.pulumi.com/oidc." — verdict: unverifiable; evidence: verifier ran out of turns before confirming the exact issuer URL. The L137 errors table also references api.pulumi.com as the OIDC audience. Author check: confirm the issuer in the canonical OIDC-AWS docs page (the URL referenced at L54) reads api.pulumi.com/oidc as written; this is a copy-pasteable string a reader may put into a trust policy.
Source: https://www.pulumi.com/docs/esc/environments/configuring-oidc/aws/
[L165] content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md — "For OIDC AssumeRoleWithWebIdentity, Pulumi ESC uses the regional STS endpoint matching AWS_REGION if set, otherwise the global endpoint." — verdict: unverifiable; evidence: this is a behavior claim about the ESC aws-login provider that the verifier couldn't confirm against public docs in 8 turns. If correct, it's a useful trouble-shooting tip; if wrong, it'll mis-lead a reader debugging a RegionDisabledException. Author check: confirm with the ESC team (or by inspection of the aws-login provider source) that endpoint selection follows AWS_REGION → regional, unset → global; if the actual behavior is "always regional when set, global otherwise" or "always global", correct it.
[L164] content/what-is/what-is-platform-engineering.md — "Pulumi Insights provides cross-cloud search and analytics." — verdict: unverifiable; same product-currency issue as [L190] — /product/pulumi-insights/ is the Insights & Governance product, framed around compliance, policy enforcement, and AI-powered remediation. "Search and analytics" is the older positioning. Resolve this FAQ in the same edit as [L190] so the page is internally consistent.
Source: https://github.com/pulumi/docs/blob/master/content/product/insights-governance.md
[L164] content/what-is/what-is-platform-engineering.md — "Pulumi is described as 'the IaC layer for many production internal platforms.'" — verdict: unverifiable; evidence: extracted as if the sentence were quoting an outside source, but in context it's the article's own closing flourish ("The combination is what makes Pulumi the IaC layer for many production internal platforms.") — self-referential editorial copy. Not a factual blocker, but consider toning down to avoid sounding self-quoting; e.g. "…which is why platform teams adopt Pulumi as the IaC foundation for their internal platforms."

Style findings

Found by pattern-based linting; Findings may be false positives.

_{Click each filename to expand.}

content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md (10 issues: 4 weasel word, 2 first person, 2 hyphenation, 1 filler, 1 wordiness)

line 32: [style] hyphenation — 'fully-managed' doesn't need a hyphen.
line 32: [style] hyphenation — 'fully-managed' doesn't need a hyphen.
line 32: [style] weasel word — 'very' is a weasel word!
line 73: [style] weasel word — 'very' is a weasel word!
line 73: [style] filler — Don't start a sentence with 'There are'.
line 84: [style] wordiness — 'prioritize' is too wordy.
line 130: [style] weasel word — 'very' is a weasel word!
line 214: [style] weasel word — 'very' is a weasel word!
line 216: [style] first person — Avoid first-person pronouns such as ' I '.
line 228: [style] first person — Avoid first-person pronouns such as ' I '.

content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md (7 issues: 3 first person, 1 difficulty qualifier, 1 substitution, 1 units, 1 wordiness)

line 24: [style] difficulty qualifier — Avoid difficulty qualifier 'easily' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
line 58: [style] substitution — Use 'select' instead of 'click' (STYLE-GUIDE.md).
line 136: [style] units — Put a nonbreaking space between the number and the unit in '1h'.
line 145: [style] first person — Avoid first-person pronouns such as ' I '.
line 153: [style] wordiness — 'maximum' is too wordy.
line 155: [style] first person — Avoid first-person pronouns such as ' I '.
line 159: [style] first person — Avoid first-person pronouns such as ' I '.

content/what-is/what-is-platform-engineering.md (10 issues: 4 difficulty qualifier, 2 first person, 2 weasel word, 2 wordiness)

line 14: [style] difficulty qualifier — Avoid difficulty qualifier 'easy' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
line 25: [style] first person — Avoid first-person pronouns such as ' I '.
line 47: [style] wordiness — 'It is' is too wordy.
line 47: [style] wordiness — 'it is' is too wordy.
line 85: [style] difficulty qualifier — Avoid difficulty qualifier 'Simple' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
line 91: [style] first person — Avoid first-person pronouns such as ' I '.
line 110: [style] difficulty qualifier — Avoid difficulty qualifier 'simply' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
line 119: [style] weasel word — 'significantly' is a weasel word!
line 136: [style] weasel word — 'clearly' is a weasel word!
line 136: [style] difficulty qualifier — Avoid difficulty qualifier 'clearly' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).

📋 Triaged verifier findings

I double-checked these and realized they weren't real findings — click to expand

[L152] content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md — "DynamoDB is compatible with the HBase 1.x API." — Spurious: the verifier misattributed the claim to DynamoDB, but the integrations table at L152 puts HBase 1.x API, plus native gRPC clients in the Bigtable column (DynamoDB column reads AWS SDKs, PartiQL). The page does not claim DynamoDB supports HBase 1.x.
[L189] content/what-is/what-is-platform-engineering.md — "The Pulumi Automation API makes it possible to embed IaC inside application software, enabling reusable infrastructure workflows." — Mis-sourced: verifier timed out on this Pass-3 entry, but the identical Automation-API embedding claim at L164 was verified against pulumi.com/blog/automation-api/. Effectively a duplicate.
[L194] content/what-is/what-is-platform-engineering.md — "Pulumi offers a modern, flexible approach to the needs of platform engineering teams. Request a demo of Pulumi, or [get started using Pul…" — Mis-sourced: this is the page's closing CTA — a navigation/marketing sentence pointing to /contact?form=demo and /docs/iac/get-started/. Not a third-party-attributed factual claim.

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

No items resolved since the last review.

📜 Review history

2026-05-20T16:53:10Z — 10 contradicted findings across the three rewrites: HBase API attribution, DynamoDB p99 framing, GoogleSQL GA status, Bigtable backup/Cloud-Storage conflation, AWS role-chaining 12h limit, and stale Pulumi Insights/Policies framing. (4608207)

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

Rewrite for SEO and AEO: quotable opening definition, semantic chunking with question-style H2s, FAQ section targeting doubt-removers, citable claims, and cross-links to related /what-is/ pages and product docs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

alexleventer temporarily deployed to testing May 20, 2026 16:47 — with GitHub Actions Inactive

github-actions Bot added review:triaging Claude Triage is currently classifying the PR domain:docs PR touches technical docs review:in-progress Claude review is currently running and removed review:triaging Claude Triage is currently classifying the PR labels May 20, 2026

github-actions Bot added review:outstanding-issues Claude review completed; outstanding has author-actionable findings and removed review:in-progress Claude review is currently running labels May 20, 2026

alexleventer force-pushed the aleventer/platform-engineering-rewrite branch from 4608207 to cf931fe Compare May 20, 2026 18:02

alexleventer temporarily deployed to testing May 20, 2026 18:02 — with GitHub Actions Inactive

github-actions Bot added review:stale New commits since last Claude review; refresh on next ready-transition or @claude mention and removed review:outstanding-issues Claude review completed; outstanding has author-actionable findings labels May 20, 2026

alexleventer marked this pull request as draft May 20, 2026 18:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

content(what-is): expand the platform engineering explainer#19269

content(what-is): expand the platform engineering explainer#19269
alexleventer wants to merge 1 commit into
masterfrom
aleventer/platform-engineering-rewrite

alexleventer commented May 20, 2026

Uh oh!

pulumi-bot commented May 20, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 20, 2026

Uh oh!

github-actions Bot commented May 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

alexleventer commented May 20, 2026

Summary

What changed

Test plan

Uh oh!

pulumi-bot commented May 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented May 20, 2026

Pre-merge Review — Last updated 2026-05-20T16:53:10Z

🔍 Verification trail

Uh oh!

github-actions Bot commented May 20, 2026

🚨 Outstanding in this PR

⚠️ Low-confidence

Style findings

📋 Triaged verifier findings

💡 Pre-existing issues in touched files (optional)

✅ Resolved since last review

📜 Review history

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

pulumi-bot commented May 20, 2026 •

edited

Loading