https://pulumi.com logo
Join Slack
Powered by
Having an architectural challenge to grant cross a...
# aws
f
Having an architectural challenge to grant cross account access to built Lambda functions. We are trying to assume a role in the second account for redshift access. How can we programmatically add the created Lambda execution role arn to the Trust policy for the cross acount role in the 2nd account redshift access
b
hi there 👋 are both roles created by Pulumi? there’s an assume role example here in TypeScript https://github.com/jaxxstorm/pulumi-examples/blob/8a8e752936aeebba7224c7928e83ff030663f75a/typescript/aws/assume_role/index.ts#L5
f
They are not built in the same Pulumi stack or project
b
it should still be possible, you just need to know the arn’s of the roles to add to the trust policy and the permission
f
Concur but finding the add to Trust on the account222222 role is escaping me. The build for the lambda + role on account11111 is working so I can get the created ARN. But adding it to the role on account222222? The Trust on account22222 currently looks like
Copy code
Trust Relationships
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111111111:user/PULUMI_DEV_DEPLOYMENTS",
                    "arn:aws:iam::1111111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWS_SSO_Data_Engineering_a111111"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}
b
so the user 
PULUMI_DEV_DEPLOYMENTS
is the one that lambda is running as?
f
No
That's the problem
b
you should just be able to add the lambda’s role to the AWS principals list, how have you defined your lambda?
f
Copy code
lambda_execution_role = aws_native.iam.Role(f'{environment}-lambda-exec-role',
    assume_role_policy_document = json.dumps({
        "Version": "2012-10-17",
        "Statement": [
            {
            "Effect": "Allow",
            "Principal": {"Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"}
            ,"Action": "sts:AssumeRole"
        }]
    })
    , managed_policy_arns=["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
                           ,ds_s3_readpolicy.arn]
    #, tags = [f'{aws_tags_ls}']
    )
And the resource
Copy code
#build the lambda
lambda_func2 = aws_native.lambda_.Function(f'{environment}-bkv-well-comm-wellpairs-lambda'
    , handler="wellpair.handler"
    , role=lambda_execution_role.arn
    , code=aws_native.lambda_.FunctionCodeArgs(
        s3_bucket=s3_bucket,
        s3_key=wp_lb_key,
    )
    , runtime="python3.9"
    , timeout=40
    , memory_size=4096
    , layers= ["arn:aws:lambda:us-east-1:336392948345:layer:AWSSDKPandas-Python39:5"]
    )
b
okay, so export that 
lambda_execution_role_arn
pulumi.export("arn", lambda_execution_role.arn)
Then add that arn to the trust relationship principals array
you’ll also need to add a policy to the lambda_execution_role to allow it to actually perform assume role, so something like
Copy code
policy_doc = aws.iam.get_policy_document_output(
            version="2012-10-17",
            statements=[
                aws.iam.GetPolicyDocumentStatementArgs(
                    effect="Allow",
                    actions=[
                        "sts:AssumeRole",
                    ],
                    resources=[*],
                )
            ],
        )

        """
        A policy for retrieving secrets from AWS SSM
        """
        policy = aws.iam.Policy(
            f"secret-policy",
            policy=policy_doc.json,
        )

        """
        Now attach it to the task execution role
        """
        aws.iam.RolePolicyAttachment(
            f"secret-policy",
            role=lambda_execution_role.name,
            policy_arn=policy.arn,
        )
f
sorry had to solve a different issue. On the `so export that 
lambda_execution_role_arn
pulumi.export("arn", lambda_execution_role.arn)
Then add that arn to the trust relationship principals array` Would it look something like
Copy code
pulumi.export("arn", lambda_execution_role.arn)

ds_well_comm_lambda_policy = aws.iam.Policy(f'well-comm-lambda-arn',
    path="/",
    description="well-comm-lambda-arn to add to acct222222 role",
    policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": [
        {
            "Action": [
                "sts:AssumeRole",
            ],
            "Principal": {
                "AWS": [
                    "lambda_execution_role.arn",
                ],
            },
            "Effect": "Allow"
        }],
    }))

account22222role = aws.iam.RolePolicyAttachment(
            f"well-comm-lambda-arn",
            role=account22222role.name,
            policy_arn=ds_well_comm_lambda_policy.arn,
        )
b
is 
ds_well_comm_lambda_policy
in account B where the redshift cluster is? that’s where the trust policy needs to be added
Copy code
account22222role = aws.iam.RolePolicyAttachment(
            f"well-comm-lambda-arn",
            role=account22222role.name,
            policy_arn=ds_well_comm_lambda_policy.arn,
        )
this needs to be in account A, where the lambda is executed
f
trying it out
Sorry I had reacted incorrectly the policy being built is in a stack being built in acct111111 So how do I attach the lambda execution arn in acct111111 to the trust in acct2222222?
Copy code
account22222role = aws.iam.RolePolicyAttachment(
            f"well-comm-lambda-arn",
            role=account22222role.name, ###<- this would be the role in acct22222 correct?
            policy_arn=ds_well_comm_lambda_policy.arn, # <- this the policy made while building the lambda in acct11111
        )
I can not get the build in acct11111 to see the role in acct22222 to even try and update the trust policy
b
the destination policy doesn’t need a RolePolicyAttachment, it just needs a trust policy
f
I am trying to update the Trust policy in acctt22222 is what I am trying to accomplish. I am not having much success finding how to add the acct111.arn to the trust policy for acct2222. Closest so far was under an emr actions in aws cli api. https://docs.aws.amazon.com/cli/latest/reference/emr-containers/update-role-trust-policy.html
b
okay what’s the code you have for the role in acct22222
f
That role was created by Scott, our infra guy
I, one of the "trusted" roles, can assume and create a boto3.session("acct2222") and list roles etc.....
b
okay, so you should be able to add the role to the trust policy in the principals…
f
But if I go in acct22222 console the assumed role does not have any update:iam permission and from pulumi feedback I get
Copy code
aws:iam:Policy (well-comm-lambda-arn):
    error: 1 error occurred:
        * creating IAM Policy well-comm-lambda-arn-feb86f7: MalformedPolicyDocument: Policy document should not specify a principal.
b
aws:iam:Policy
isn’t the correct resource, if the role in acct2222 isn’t managed by Pulumi, you’ll need to add it manually
f
If it is managed by Pulumi from a different project can we update via code?
I am not tied to any method of being able to execute a query from a lambda in acct11111 on redshift in acct222222. I just need to be able to execute the E of the TL in order to build what they actually want me to build. 😄 The assumedRole has been initial guidance for me to follow but if there is a better way of connecting pipes please let us know.
Open in Slack
PreviousNext
Powered by