Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
d
dry-journalist-60579
03/16/2023, 10:40 PMok… here’s another one. I have the following role assuming pattern locally (for… reasons):
role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_xxxxxxxxx (the role I am logged into via the CLI)
=> assumes
role/service-role/AWSControlTowerAdmin (via Pulumi.<stack>.yaml config var aws:assumeRole.roleArn)
=> assumes
role/AWSControlTowerExecution (via `aws.Provider` in the Pulumi code)aws:assumeRoleassumed-role/PulumiOIDC/pulumirole/service-role/AWSControlTowerAdminrole/service-role/AWSControlTowerAdminrole/AWSControlTowerExecutionassumed-role/PulumiOIDC/pulumirole/AWSControlTowerExecutionPulumi.<stack>.yamlTwo pieces of background for the pattern:
The reason I’m leveraging these existing roles is that AWS Control Tower automatically sets them up in accounts created via the factory such that
AWSControlTowerAdminAWSControlTowerExecutionAdministratorAccessAWSReservedSSO_AWSAdministratorAccess_xxxxxxxxxrole/service-role/AWSControlTowerAdminrole/AWSControlTowerExecution👀 any thoughts? Is a
Pulumi.yamlaws:assumeRole.roleArnr
red-match-15116
03/17/2023, 5:42 PMI'm not certain about what's going on here but I can provide some insight into deployments perhaps. There is nothing in pulumi deployments that would change overwrite your project's Pulumi.yaml or Pulumi.<stack>.yaml.
d
dry-journalist-60579
03/17/2023, 6:02 PMHmm I mean the UI is displaying the correct values from the Pulumi.yaml config. But the update does not seem to be running with the roleArn assumed
l
lemon-agent-27707
03/17/2023, 6:58 PMI believe the AWS OIDC integration sets some environment variables so that providers can automatically pick up credentials without you having to modify your program.
This could explain the difference in provider configuration that you are seeing locally vs in the deployment run.
From the deployment OIDC docs for AWS:
With this configuration, each deployment of this stack will attempt to exchange the deployment’s OIDC token for AWS credentials using the specified IAM role prior to running any pre-commands or Pulumi operations. The fetched credentials are published in theMight be helpful to share code on how you are configuring the provider and assuming the roles.,AWS_ACCESS_KEY_ID, andAWS_SECRET_ACCESS_KEYenvironment variables. The raw OIDC token is also available for advanced scenarios in theAWS_SESSION_TOKENenvironment variable and thePULUMI_OIDC_TOKENfile./mnt/pulumi/pulumi.oidc
d
dry-journalist-60579
03/17/2023, 7:21 PMThis is my `Pulumi.prod.yaml`:
config:
aws:region: us-east-1
aws:allowedAccountIds: [xxx]
aws:assumeRole:
roleArn: arn:aws:iam::xxx:role/service-role/AWSControlTowerAdminname: admin
runtime:
name: python
description: Manage resources related to our AWS account structureAnd this is the Pulumi code in `__main__.py`:
import pulumi
import pulumi_aws as aws
MANAGEMENT_ACCOUNT_ID = "xxx"
PASSWORD_PARAMS = {
"require_uppercase_characters": True,
"require_lowercase_characters": True,
"require_symbols": True,
"require_numbers": True,
"minimum_password_length": 20,
}
organization = aws.organizations.get_organization()
for account in organization.accounts:
# Skip deactivated accounts and the management account
if account.status != "ACTIVE":
continue
if account.id == MANAGEMENT_ACCOUNT_ID:
# See aws-admin-bootstrap-stack where the ManagementAccountAdmin role is created
provider = aws.Provider(
f"Provider: Mighty Management Account",
region="us-east-1",
assume_role={
"roleArn": "arn:aws:iam::xxx:role/ManagementAccountAdmin",
},
)
else:
role_arn = pulumi.Output.format(
"arn:aws:iam::{0}:role/AWSControlTowerExecution", account.id
)
# Create Provider to assume role
provider = aws.Provider(
f"Provider: {account.name}",
region="us-east-1",
assume_role={
"roleArn": role_arn,
},
)
password_policy = aws.iam.AccountPasswordPolicy(
f"AccountPasswordPolicy: {account.name}",
**PASSWORD_PARAMS,
opts=pulumi.ResourceOptions(provider=provider),
)Hmm using
aws-sso-utilawsumeAWS_*env | grep AWS
AWSUME_COMMAND=Mighty-Management-Account.AWSAdministratorAccess
AWS_ACCESS_KEY_ID=XXX
AWS_SECRET_ACCESS_KEY=YYY
AWS_SESSION_TOKEN=ZZZ
AWS_REGION=us-east-1
AWS_DEFAULT_REGION=us-east-1
AWSUME_PROFILE=Mighty-Management-Account.AWSAdministratorAccess
AWSUME_EXPIRATION=2023-03-17T20:23:39Locally I just run
poetry run pulumi upl
lemon-agent-27707
03/19/2023, 7:28 PMIt basically skips the middle assumption and uses the Deployment role to try to directly assume the 3rd role, AWSControlTowerExecution and it fails.I don't see anywhere in your code where there is an explicit attempt to assume
role/service-role/AWSControlTowerAdminAWSControlTowerExecutionCan you try out creating two explicit providers? You'll need to create the first provider specifying assume role on
AWSControlTowerAdminAWSControlTowerExecutiond
dry-journalist-60579
03/20/2023, 2:54 PMSo locally I am definitely assuming my SSO role and the way the
role/service-role/AWSControlTowerAdminI once tried to do it explicitly via providers in the code but I got an error saying that a provider does not accept another provider as a parameter
I wish I could do it via code
image.png
TypeError: Explicit providers may not be used with provider resourcesI did just realize that this might not be necessary anymore as the Trust Relationship of
role/AWSControlTowerExecutionl
lemon-agent-27707
03/21/2023, 12:08 AMAh, indeed I think I'm leading you astray with that suggestion. But I believe this issue may explain some of the behavior you are seeing: https://github.com/pulumi/pulumi/issues/12176
I'd encourage you to share notes on that issue and give it a +1. But it sounds like you have a workaround for the time being?
d
dry-journalist-60579
03/21/2023, 5:47 PMHmm I’m not sure if that issue applies here… it does make sense and I +1ed it, but I think the issue here is that the project/stack configuration from the Pulumi.yaml files are being ignored during the Pulumi Deployments…? But yes, I think I do have a workaround, but need to see if I can implement it
(thank you for looking into this btw!!)
l
lemon-agent-27707
03/21/2023, 10:34 PMI think the issue here is that the project/stack configuration from the Pulumi.yaml files are being ignored during the Pulumi Deployments…?Pulumi Deployments still use the CLI when running an update. My guess is that there are a different set of environment variables that get set during a deployment vs what you have set locally. It is possible that the different env vars are causing some difference in behavior between the precedence of explicit configuration, stack configuration, and environment variables as is mentioned in the issue.
d
dry-journalist-60579
03/21/2023, 10:51 PMahh ok—I’m almost done with reorganizing all the roles and will be testing out the new set up in a few min 🤞🏽
Annnnd it worked! So in summary, I was able to get Pulumi Deployments set up with a single OIDC provider and role in the AWS Control Tower management account that is able to assume the
AWSControlTowerExecutionconfig.aws:assumeRole.roleArnl
lemon-agent-27707
03/22/2023, 8:24 PM:woohoo: glad to hear you got it working!
Was there any trick in particular that was required? Would be useful to know for helping folks in the future.
b
brash-gigabyte-81569
04/18/2023, 2:55 PMi am struggling to get this to work, was there a trick?
Constantly getting
error: could not validate provider configuration: 1 error occurred:
* Invalid or unknown keyconfig:
aws:region: us-east-1
aws:assumeRole.roleArn: *************d
dry-journalist-60579
04/18/2023, 3:05 PMconfig:
aws:assumeRole:
roleArn: xxx
aws:region: us-east-1I’ve never seen that dot notation in yaml…. are you sure that’s valid? Might be worth testing
b
brash-gigabyte-81569
04/18/2023, 3:07 PMyeah it’s how they talk about it here
When I nest the config as you have I get this error
unexpected configuration type 'map[string]interface {}': valid types are string, List<string>, number, List<number>, integer, List<integer>, boolean, List<number>d
dry-journalist-60579
04/18/2023, 3:09 PMhmm could that be related to the code?
what line is it coming from?
b
brash-gigabyte-81569
04/18/2023, 3:10 PMdoesn’t say, assuming it is coming from the provider
what language you using? TS?
d
dry-journalist-60579
04/18/2023, 3:15 PMPython here
b
brash-gigabyte-81569
04/18/2023, 3:15 PMI found my issue https://github.com/pulumi/pulumi-yaml/issues/434#issuecomment-1424243406 😒ad-panda:
d
dry-journalist-60579
04/18/2023, 3:16 PMso it sounds like it’s a separate item in the config that’s blowing up now?
b
brash-gigabyte-81569
04/18/2023, 3:17 PMNo, it’s the config. The style needed to configure assumeRoles doesn’t work properly when using the yaml runtime
d
dry-journalist-60579
04/18/2023, 3:17 PMOh you’re using
yamlb
brash-gigabyte-81569
04/18/2023, 3:18 PMyeah in this stack
d
dry-journalist-60579
04/18/2023, 3:20 PMahh ok, that’s a bummer about that bug—sorry!!
b
brash-gigabyte-81569
04/18/2023, 3:21 PMWell thanks for helping me to at least arrive at what is wrong
l
lemon-agent-27707
04/24/2023, 2:25 AM@brash-gigabyte-81569 sorry for the trouble here! I followed up with the team and we have a workaround for you here as we work on a fix: https://github.com/pulumi/pulumi-yaml/issues/434#issuecomment-1519177770
b
brash-gigabyte-81569
04/24/2023, 1:06 PMNo worries, I got it working with profiles and setting the profile flag for my case. But I can see using this workaround when i hit another case where the nesting is an issue