flat-animal-59128
04/10/2023, 4:41 PMbillowy-army-68599
04/10/2023, 5:19 PMflat-animal-59128
04/10/2023, 5:28 PMbillowy-army-68599
04/10/2023, 5:29 PMflat-animal-59128
04/10/2023, 5:38 PMTrust Relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111:user/PULUMI_DEV_DEPLOYMENTS",
"arn:aws:iam::1111111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWS_SSO_Data_Engineering_a111111"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
billowy-army-68599
04/10/2023, 5:41 PMPULUMI_DEV_DEPLOYMENTS
is the one that lambda is running as?flat-animal-59128
04/10/2023, 5:41 PMbillowy-army-68599
04/10/2023, 5:41 PMflat-animal-59128
04/10/2023, 5:42 PMlambda_execution_role = aws_native.iam.Role(f'{environment}-lambda-exec-role',
assume_role_policy_document = json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"}
,"Action": "sts:AssumeRole"
}]
})
, managed_policy_arns=["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
,ds_s3_readpolicy.arn]
#, tags = [f'{aws_tags_ls}']
)
#build the lambda
lambda_func2 = aws_native.lambda_.Function(f'{environment}-bkv-well-comm-wellpairs-lambda'
, handler="wellpair.handler"
, role=lambda_execution_role.arn
, code=aws_native.lambda_.FunctionCodeArgs(
s3_bucket=s3_bucket,
s3_key=wp_lb_key,
)
, runtime="python3.9"
, timeout=40
, memory_size=4096
, layers= ["arn:aws:lambda:us-east-1:336392948345:layer:AWSSDKPandas-Python39:5"]
)
billowy-army-68599
04/10/2023, 5:43 PMlambda_execution_role_arn
pulumi.export("arn", lambda_execution_role.arn)
Then add that arn to the trust relationship principals arraypolicy_doc = aws.iam.get_policy_document_output(
version="2012-10-17",
statements=[
aws.iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=[
"sts:AssumeRole",
],
resources=[*],
)
],
)
"""
A policy for retrieving secrets from AWS SSM
"""
policy = aws.iam.Policy(
f"secret-policy",
policy=policy_doc.json,
)
"""
Now attach it to the task execution role
"""
aws.iam.RolePolicyAttachment(
f"secret-policy",
role=lambda_execution_role.name,
policy_arn=policy.arn,
)
flat-animal-59128
04/10/2023, 6:09 PMlambda_execution_role_arn
pulumi.export("arn", lambda_execution_role.arn)
Then add that arn to the trust relationship principals array`
Would it look something like
pulumi.export("arn", lambda_execution_role.arn)
ds_well_comm_lambda_policy = aws.iam.Policy(f'well-comm-lambda-arn',
path="/",
description="well-comm-lambda-arn to add to acct222222 role",
policy=json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole",
],
"Principal": {
"AWS": [
"lambda_execution_role.arn",
],
},
"Effect": "Allow"
}],
}))
account22222role = aws.iam.RolePolicyAttachment(
f"well-comm-lambda-arn",
role=account22222role.name,
policy_arn=ds_well_comm_lambda_policy.arn,
)
billowy-army-68599
04/10/2023, 6:10 PMds_well_comm_lambda_policy
in account B where the redshift cluster is? that’s where the trust policy needs to be addedaccount22222role = aws.iam.RolePolicyAttachment(
f"well-comm-lambda-arn",
role=account22222role.name,
policy_arn=ds_well_comm_lambda_policy.arn,
)
flat-animal-59128
04/10/2023, 6:13 PMaccount22222role = aws.iam.RolePolicyAttachment(
f"well-comm-lambda-arn",
role=account22222role.name, ###<- this would be the role in acct22222 correct?
policy_arn=ds_well_comm_lambda_policy.arn, # <- this the policy made while building the lambda in acct11111
)
I can not get the build in acct11111 to see the role in acct22222 to even try and update the trust policybillowy-army-68599
04/10/2023, 7:56 PMflat-animal-59128
04/10/2023, 8:08 PMbillowy-army-68599
04/10/2023, 8:18 PMflat-animal-59128
04/10/2023, 8:20 PMbillowy-army-68599
04/10/2023, 8:23 PMflat-animal-59128
04/10/2023, 8:25 PMaws:iam:Policy (well-comm-lambda-arn):
error: 1 error occurred:
* creating IAM Policy well-comm-lambda-arn-feb86f7: MalformedPolicyDocument: Policy document should not specify a principal.
billowy-army-68599
04/10/2023, 8:29 PMaws:iam:Policy
isn’t the correct resource, if the role in acct2222 isn’t managed by Pulumi, you’ll need to add it manuallyflat-animal-59128
04/10/2023, 8:31 PM