This message was deleted.
# aws
s
This message was deleted.
b
hi there 👋 are both roles created by Pulumi? there’s an assume role example here in TypeScript https://github.com/jaxxstorm/pulumi-examples/blob/8a8e752936aeebba7224c7928e83ff030663f75a/typescript/aws/assume_role/index.ts#L5
f
They are not built in the same Pulumi stack or project
b
it should still be possible, you just need to know the arn’s of the roles to add to the trust policy and the permission
f
Concur but finding the add to Trust on the account222222 role is escaping me. The build for the lambda + role on account11111 is working so I can get the created ARN. But adding it to the role on account222222? The Trust on account22222 currently looks like
Copy code
Trust Relationships
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111111111:user/PULUMI_DEV_DEPLOYMENTS",
                    "arn:aws:iam::1111111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWS_SSO_Data_Engineering_a111111"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}
b
so the user
PULUMI_DEV_DEPLOYMENTS
is the one that lambda is running as?
f
No
That's the problem
b
you should just be able to add the lambda’s role to the AWS principals list, how have you defined your lambda?
f
Copy code
lambda_execution_role = aws_native.iam.Role(f'{environment}-lambda-exec-role',
    assume_role_policy_document = json.dumps({
        "Version": "2012-10-17",
        "Statement": [
            {
            "Effect": "Allow",
            "Principal": {"Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"}
            ,"Action": "sts:AssumeRole"
        }]
    })
    , managed_policy_arns=["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
                           ,ds_s3_readpolicy.arn]
    #, tags = [f'{aws_tags_ls}']
    )
And the resource
Copy code
#build the lambda
lambda_func2 = aws_native.lambda_.Function(f'{environment}-bkv-well-comm-wellpairs-lambda'
    , handler="wellpair.handler"
    , role=lambda_execution_role.arn
    , code=aws_native.lambda_.FunctionCodeArgs(
        s3_bucket=s3_bucket,
        s3_key=wp_lb_key,
    )
    , runtime="python3.9"
    , timeout=40
    , memory_size=4096
    , layers= ["arn:aws:lambda:us-east-1:336392948345:layer:AWSSDKPandas-Python39:5"]
    )
b
okay, so export that
lambda_execution_role_arn
pulumi.export("arn", lambda_execution_role.arn)
Then add that arn to the trust relationship principals array
you’ll also need to add a policy to the lambda_execution_role to allow it to actually perform assume role, so something like
Copy code
policy_doc = aws.iam.get_policy_document_output(
            version="2012-10-17",
            statements=[
                aws.iam.GetPolicyDocumentStatementArgs(
                    effect="Allow",
                    actions=[
                        "sts:AssumeRole",
                    ],
                    resources=[*],
                )
            ],
        )

        """
        A policy for retrieving secrets from AWS SSM
        """
        policy = aws.iam.Policy(
            f"secret-policy",
            policy=policy_doc.json,
        )

        """
        Now attach it to the task execution role
        """
        aws.iam.RolePolicyAttachment(
            f"secret-policy",
            role=lambda_execution_role.name,
            policy_arn=policy.arn,
        )
f
sorry had to solve a different issue. On the `so export that
lambda_execution_role_arn
pulumi.export("arn", lambda_execution_role.arn)
Then add that arn to the trust relationship principals array` Would it look something like
Copy code
pulumi.export("arn", lambda_execution_role.arn)

ds_well_comm_lambda_policy = aws.iam.Policy(f'well-comm-lambda-arn',
    path="/",
    description="well-comm-lambda-arn to add to acct222222 role",
    policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": [
        {
            "Action": [
                "sts:AssumeRole",
            ],
            "Principal": {
                "AWS": [
                    "lambda_execution_role.arn",
                ],
            },
            "Effect": "Allow"
        }],
    }))

account22222role = aws.iam.RolePolicyAttachment(
            f"well-comm-lambda-arn",
            role=account22222role.name,
            policy_arn=ds_well_comm_lambda_policy.arn,
        )
b
is
ds_well_comm_lambda_policy
in account B where the redshift cluster is? that’s where the trust policy needs to be added
🚫 1
Copy code
account22222role = aws.iam.RolePolicyAttachment(
            f"well-comm-lambda-arn",
            role=account22222role.name,
            policy_arn=ds_well_comm_lambda_policy.arn,
        )
this needs to be in account A, where the lambda is executed
f
trying it out
Sorry I had reacted incorrectly the policy being built is in a stack being built in acct111111 So how do I attach the lambda execution arn in acct111111 to the trust in acct2222222?
Copy code
account22222role = aws.iam.RolePolicyAttachment(
            f"well-comm-lambda-arn",
            role=account22222role.name, ###<- this would be the role in acct22222 correct?
            policy_arn=ds_well_comm_lambda_policy.arn, # <- this the policy made while building the lambda in acct11111
        )
I can not get the build in acct11111 to see the role in acct22222 to even try and update the trust policy
b
the destination policy doesn’t need a RolePolicyAttachment, it just needs a trust policy
f
I am trying to update the Trust policy in acctt22222 is what I am trying to accomplish. I am not having much success finding how to add the acct111.arn to the trust policy for acct2222. Closest so far was under an emr actions in aws cli api. https://docs.aws.amazon.com/cli/latest/reference/emr-containers/update-role-trust-policy.html
b
okay what’s the code you have for the role in acct22222
f
That role was created by Scott, our infra guy
I, one of the "trusted" roles, can assume and create a boto3.session("acct2222") and list roles etc.....
b
okay, so you should be able to add the role to the trust policy in the principals…
f
But if I go in acct22222 console the assumed role does not have any update:iam permission and from pulumi feedback I get
Copy code
aws:iam:Policy (well-comm-lambda-arn):
    error: 1 error occurred:
        * creating IAM Policy well-comm-lambda-arn-feb86f7: MalformedPolicyDocument: Policy document should not specify a principal.
b
aws:iam:Policy
isn’t the correct resource, if the role in acct2222 isn’t managed by Pulumi, you’ll need to add it manually
😨 1
f
If it is managed by Pulumi from a different project can we update via code?
I am not tied to any method of being able to execute a query from a lambda in acct11111 on redshift in acct222222. I just need to be able to execute the E of the TL in order to build what they actually want me to build. 😄 The assumedRole has been initial guidance for me to follow but if there is a better way of connecting pipes please let us know.