https://pulumi.com logo
Title
a

able-energy-34495

04/18/2023, 3:55 AM
I'm a little embarrassed to ask this but is there a way to specify what AWS account the stack should apply to with pulumi?
Like, for example, I want the dev stack to deploy to the dev aws account, and stg to the stg aws account.
s

salmon-account-74572

04/18/2023, 4:20 AM
No need to be embarrassed, everyone has to start somewhere! You should be able to accomplish this by creating an explicit AWS provider and then defining the properties for the provider. More information is available at https://www.pulumi.com/registry/packages/aws/api-docs/provider/
a

able-energy-34495

04/18/2023, 4:22 AM
Awesome thank you Scott!
f

fresh-spring-82225

04/18/2023, 5:30 AM
Also take a look at the
aws:allowedAccountIds
config setting.
d

dry-journalist-60579

04/18/2023, 2:08 PM
What we do is generally have a
Pulumi.{stack}.yaml
per account and specify
config:
  aws:allowedAccountIds: [xxx]
in that yaml file
We aren’t using a an explicit provider (right now) in the code itself (except in special circumstances), but we use explicit assumed roles to run
pulumi up
via Pulumi Deployments
a

able-energy-34495

04/18/2023, 5:01 PM
Are you passing arguments to pulumi up? Can you guys show me an example of over riding the provider?
d

dry-journalist-60579

04/18/2023, 5:06 PM
So as far as I can tell, Pulumi acts on resources inside the account of the current role being used to create AWS resources. Via code you can explicitly create a provider: This is an example from our code that loops over all the accounts within an organization that has been setup via AWS Control Tower.
# Create Provider to assume role
provider = aws.Provider(
    f"Provider: {account.name}",
    region="us-east-1",
    assume_role={
        "roleArn": pulumi.Output.format(
            "arn:aws:iam::{0}:role/AWSControlTowerExecution", account.id
        ),
    },
)
This creates a provider per account such that you can create resources in a specific account:
aws.iam.AccountPasswordPolicy(
    name,
    **PASSWORD_PARAMS,
    opts=ResourceOptions(parent=self, provider=provider),
)
But for our “normal” stacks, which generally operate on a single account
a

able-energy-34495

04/18/2023, 5:07 PM
Oh awesome thank you for this Aaron
d

dry-journalist-60579

04/18/2023, 5:07 PM
We run
pulumi up
with (e.g.) AWS_* credentials in the CLI environment for a specific account
(In reality we use https://github.com/benkehoe/aws-sso-util and https://awsu.me/ because we’re using SSO rather than IAM roles with access keys/secrets)
So something like (after initial setup)
$ aws-sso-util login
# => browser opens and I approve

$ awsume MyAccount.AWSAdministratorAccess

$ pulumi up ...
And beyond that, we generally do not run
pulumi up
against any of our non-sandbox infrastructure. We use #pulumi-deployments to automatically run
pulumi up
when PRs are merged
This may be TMI, but we have a “bootstrap” stack that creates an OIDC provider role for Pulumi Deployments to assume during runs that lives in our management account. Since this role is in our management account, this role itself has the ability to assume another role in any of the child accounts in our organization: in particular, the
arn:aws:iam::{ACCOUNT_ID}:role/AWSControlTowerExecution
role. We then set up every stack with an explicit assume role configuration in the YAML:
# project/Pulumi.yaml
name: my-project
runtime:
  name: python


# project/Pulumi.prod.yaml
config:
  aws:allowedAccountIds: [xxx]
  aws:assumeRole:
    roleArn: arn:aws:iam::xxx:role/AWSControlTowerExecution
  aws:region: us-east-1
a

able-energy-34495

04/19/2023, 8:09 PM
Is there a way I could just do this with the aws credentials file?
We don't have roles or SSO set up for these accounts yet..
nevermind I got it 🙂