Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
f
flat-animal-59128
04/10/2023, 4:41 PMHaving an architectural challenge to grant cross account access to built Lambda functions. We are trying to assume a role in the second account for redshift access. How can we programmatically add the created Lambda execution role arn to the Trust policy for the cross acount role in the 2nd account redshift access
b
billowy-army-68599
04/10/2023, 5:19 PMhi there 👋
are both roles created by Pulumi? there’s an assume role example here in TypeScript
https://github.com/jaxxstorm/pulumi-examples/blob/8a8e752936aeebba7224c7928e83ff030663f75a/typescript/aws/assume_role/index.ts#L5
f
flat-animal-59128
04/10/2023, 5:28 PMThey are not built in the same Pulumi stack or project
b
billowy-army-68599
04/10/2023, 5:29 PMit should still be possible, you just need to know the arn’s of the roles to add to the trust policy and the permission
f
flat-animal-59128
04/10/2023, 5:38 PMConcur but finding the add to Trust on the account222222 role is escaping me.
The build for the lambda + role on account11111 is working so I can get the created ARN.
But adding it to the role on account222222?
The Trust on account22222 currently looks like
Trust Relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111:user/PULUMI_DEV_DEPLOYMENTS",
"arn:aws:iam::1111111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWS_SSO_Data_Engineering_a111111"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}b
billowy-army-68599
04/10/2023, 5:41 PMso the user
PULUMI_DEV_DEPLOYMENTSf
flat-animal-59128
04/10/2023, 5:41 PMNo
That's the problem
b
billowy-army-68599
04/10/2023, 5:41 PMyou should just be able to add the lambda’s role to the AWS principals list, how have you defined your lambda?
f
flat-animal-59128
04/10/2023, 5:42 PMlambda_execution_role = aws_native.iam.Role(f'{environment}-lambda-exec-role',
assume_role_policy_document = json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"}
,"Action": "sts:AssumeRole"
}]
})
, managed_policy_arns=["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
,ds_s3_readpolicy.arn]
#, tags = [f'{aws_tags_ls}']
)And the resource
#build the lambda
lambda_func2 = aws_native.lambda_.Function(f'{environment}-bkv-well-comm-wellpairs-lambda'
, handler="wellpair.handler"
, role=lambda_execution_role.arn
, code=aws_native.lambda_.FunctionCodeArgs(
s3_bucket=s3_bucket,
s3_key=wp_lb_key,
)
, runtime="python3.9"
, timeout=40
, memory_size=4096
, layers= ["arn:aws:lambda:us-east-1:336392948345:layer:AWSSDKPandas-Python39:5"]
)b
billowy-army-68599
04/10/2023, 5:43 PMokay, so export that
lambda_execution_role_arnpulumi.export("arn", lambda_execution_role.arn)you’ll also need to add a policy to the lambda_execution_role to allow it to actually perform assume role, so something like
policy_doc = aws.iam.get_policy_document_output(
version="2012-10-17",
statements=[
aws.iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=[
"sts:AssumeRole",
],
resources=[*],
)
],
)
"""
A policy for retrieving secrets from AWS SSM
"""
policy = aws.iam.Policy(
f"secret-policy",
policy=policy_doc.json,
)
"""
Now attach it to the task execution role
"""
aws.iam.RolePolicyAttachment(
f"secret-policy",
role=lambda_execution_role.name,
policy_arn=policy.arn,
)f
flat-animal-59128
04/10/2023, 6:09 PMsorry had to solve a different issue. On the
`so export that
lambda_execution_role_arnpulumi.export("arn", lambda_execution_role.arn)pulumi.export("arn", lambda_execution_role.arn)
ds_well_comm_lambda_policy = aws.iam.Policy(f'well-comm-lambda-arn',
path="/",
description="well-comm-lambda-arn to add to acct222222 role",
policy=json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole",
],
"Principal": {
"AWS": [
"lambda_execution_role.arn",
],
},
"Effect": "Allow"
}],
}))
account22222role = aws.iam.RolePolicyAttachment(
f"well-comm-lambda-arn",
role=account22222role.name,
policy_arn=ds_well_comm_lambda_policy.arn,
)b
billowy-army-68599
04/10/2023, 6:10 PMis
ds_well_comm_lambda_policyaccount22222role = aws.iam.RolePolicyAttachment(
f"well-comm-lambda-arn",
role=account22222role.name,
policy_arn=ds_well_comm_lambda_policy.arn,
)this needs to be in account A, where the lambda is executed
f
flat-animal-59128
04/10/2023, 6:13 PMtrying it out
Sorry I had reacted incorrectly the policy being built is in a stack being built in acct111111
So how do I attach the lambda execution arn in acct111111 to the trust in acct2222222?
account22222role = aws.iam.RolePolicyAttachment(
f"well-comm-lambda-arn",
role=account22222role.name, ###<- this would be the role in acct22222 correct?
policy_arn=ds_well_comm_lambda_policy.arn, # <- this the policy made while building the lambda in acct11111
)b
billowy-army-68599
04/10/2023, 7:56 PMthe destination policy doesn’t need a RolePolicyAttachment, it just needs a trust policy
f
flat-animal-59128
04/10/2023, 8:08 PMI am trying to update the Trust policy in acctt22222 is what I am trying to accomplish. I am not having much success finding how to add the acct111.arn to the trust policy for acct2222. Closest so far was under an emr actions in aws cli api. https://docs.aws.amazon.com/cli/latest/reference/emr-containers/update-role-trust-policy.html
b
billowy-army-68599
04/10/2023, 8:18 PMokay what’s the code you have for the role in acct22222
f
flat-animal-59128
04/10/2023, 8:20 PMThat role was created by Scott, our infra guy
I, one of the "trusted" roles, can assume and create a boto3.session("acct2222") and list roles etc.....
b
billowy-army-68599
04/10/2023, 8:23 PMokay, so you should be able to add the role to the trust policy in the principals…
f
flat-animal-59128
04/10/2023, 8:25 PMBut if I go in acct22222 console the assumed role does not have any update:iam permission
and from pulumi feedback I get
aws:iam:Policy (well-comm-lambda-arn):
error: 1 error occurred:
* creating IAM Policy well-comm-lambda-arn-feb86f7: MalformedPolicyDocument: Policy document should not specify a principal.b
billowy-army-68599
04/10/2023, 8:29 PMaws:iam:Policyf
flat-animal-59128
04/10/2023, 8:31 PMIf it is managed by Pulumi from a different project can we update via code?
I am not tied to any method of being able to execute a query from a lambda in acct11111 on redshift in acct222222. I just need to be able to execute the E of the TL in order to build what they actually want me to build. 😄
The assumedRole has been initial guidance for me to follow but if there is a better way of connecting pipes please let us know.