This message was deleted.
# pulumi-deploymentss
sparse-intern-71089
04/29/2023, 1:20 AMThis message was deleted.
f
fresh-spring-82225
04/29/2023, 1:25 AMI had some resources that were deleted externally to pulumi. When I tried to do a refresh in pulumi deployments, I got this a bunch of “not authorized” errors. Which is weird, since the stack config has
aws:assumeRole{"roleArn":"arn:aws:iam::ACCOUNT_ID:role/AWSControlTowerExecution"} Copy code
aws:ec2:Instance (axial-instance):
error: refreshing urn:pulumi:dev::axial::aws:ec2/instance:Instance::axial-instance: 1 error occurred:
* reading EC2 Instance (i-06d84518ff9f473e4): UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: a2712cf6-60af-48c8-a29f-0f678d60aa77
aws:lambda:FunctionEventInvokeConfig (aca-invoke):
error: refreshing urn:pulumi:dev::axial::aws:lambda/functionEventInvokeConfig:FunctionEventInvokeConfig::aca-invoke: 1 error occurred:
* reading Lambda Function Event Invoke Config (aca-function-f91f427): AccessDeniedException:
status code: 403, request id: 1816cf65-e8e3-43e0-9761-5ee96162faa7
aws:lambda:Function (aca-function):
error: refreshing urn:pulumi:dev::axial::aws:lambda/function:Function::aca-function: 1 error occurred:
* reading Lambda Function (aca-function-f91f427): AccessDeniedException:
status code: 403, request id: 297e078c-bffa-48df-b970-4a7374b33e39fresh-spring-82225
04/29/2023, 1:26 AMI then ran
pulumi refresh Copy code
- ├─ aws:lambda:FunctionEventInvokeConfig aca-invoke deleted (1s)
├─ command:local:Command axial-get-date
├─ pulumi:pulumi:StackReference monolith-corp/trc/dev
- ├─ aws:lambda:Function aca-function deleted (1s)
- └─ aws:ec2:Instance axial-instance deleted (1s)fresh-spring-82225
04/29/2023, 1:27 AMSo, obviously I can’t reproduce the bug now 😕 but as I said, just in case anyone else runs into this situation …
fresh-spring-82225
04/29/2023, 6:07 PMworking on this further, I think the problem is that my
aws:assumeRolel
lemon-agent-27707
04/30/2023, 12:55 PMAre you using OIDC?
f
fresh-spring-82225
05/01/2023, 5:07 AMYes
l
lemon-agent-27707
05/01/2023, 2:03 PMIf you think there is a bug here, would love to get an issue open: github.com/pulumi/pulumi-cloud-requests/issues/new
Are you able to configure OIDC to use that role directly instead of assuming into it once you get OIDC credentials?
lemon-agent-27707
05/01/2023, 2:06 PMFrom a little searching, it sounds like assume role with OIDC might require you to set up some extra IAM roles. There is a package you could try to use (haven't tried it myself): https://www.pulumi.com/registry/packages/aws-iam/api-docs/assumablerolewithoidc/
Or the underlying reference implementation might be useful just to look at: https://github.com/pulumi/pulumi-aws-iam/blob/master/provider/pkg/provider/assumable_role_with_oidc.go#L146-L152
lemon-agent-27707
05/01/2023, 2:07 PM@dry-journalist-60579 I believe you were using assume role with OIDC. Did you end up getting it working? Curious if you ever tried out the resources linked above.
d
dry-journalist-60579
05/01/2023, 3:05 PMOh yeah we have been using OIDC smoothly with pulumi deployments
dry-journalist-60579
05/01/2023, 3:06 PMWe have a stack that bootstraps the creation of that role and maintains it going forward. We then specify that role in the assume role config for all our deployments
f
fresh-spring-82225
05/01/2023, 4:14 PMHere’s what I’ve done so far:
• created an identity provider in my control tower management account, arnawsiamMGT ACCT IDoidc-provider/api.pulumi.com/oidc
• created a role for pulumi deployments to assume, arnawsiamMGT ACCT IDrole/PulumiDeploymentsRole
◦ trust relationship allows the above federated principal to assume the role
◦ permission policy is the AWSControlTowerStackSetRolePolicy created by control tower, which allows assuming arnawsiam::*:role/AWSControlTowerExecution
• in my application stack, I have
aws:assumeRole Copy code
aws:assumeRole:
roleArn: arn:aws:iam::APP_ACCT_ID:role/AWSControlTowerExecution Copy code
command:local:Command [...] creating (12s) An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts:MGT_ACCT_ID:assumed-role/PulumiDeploymentsRole/pulumi is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken actionassumeRolePulumi.dev.yamld
dry-journalist-60579
05/01/2023, 4:20 PM@fresh-spring-82225 for what it’s worth, here is the Pulumi code I used to create the OIDC role that works for us:
Copy code
import pulumi
import pulumi_aws as aws
import json
# Create OIDC provider for Pulumi Deployments
oidc_provider = aws.iam.OpenIdConnectProvider(
"Pulumi OIDC Provider",
client_id_lists=["myorg"],
thumbprint_lists=["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"],
url="<https://api.pulumi.com/oidc>",
)
oidc_provider_role = aws.iam.Role(
"Pulumi OIDC Provider Role",
name="PulumiOIDC",
assume_role_policy=oidc_provider.arn.apply(
lambda arn: json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": arn,
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<http://api.pulumi.com/oidc:aud|api.pulumi.com/oidc:aud>": "myorg",
}
},
}
],
}
)
),
managed_policy_arns=["arn:aws:iam::aws:policy/AdministratorAccess"],
)
pulumi.export("PulumiOIDCRoleArn", oidc_provider_role.arn)f
fresh-spring-82225
05/01/2023, 6:42 PM@dry-journalist-60579 I recreated this (in typescript) for my management account, and it seems to have unblocked my application stack. The difference is that I was using AWSControlTowerStackSetRolePolicy instead of AdministratorAccess
d
dry-journalist-60579
05/01/2023, 6:46 PMAh nice! I’m not sure what the proper least privilege configuration is but at least it’s working for now :)
✅ 1
4 Views