fresh-spring-82225
04/29/2023, 1:20 AMaws:assumeRole
set to {"roleArn":"arn:aws:iam::ACCOUNT_ID:role/AWSControlTowerExecution"}
which means it should have permission to do anything
aws:ec2:Instance (axial-instance):
error: refreshing urn:pulumi:dev::axial::aws:ec2/instance:Instance::axial-instance: 1 error occurred:
* reading EC2 Instance (i-06d84518ff9f473e4): UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: a2712cf6-60af-48c8-a29f-0f678d60aa77
aws:lambda:FunctionEventInvokeConfig (aca-invoke):
error: refreshing urn:pulumi:dev::axial::aws:lambda/functionEventInvokeConfig:FunctionEventInvokeConfig::aca-invoke: 1 error occurred:
* reading Lambda Function Event Invoke Config (aca-function-f91f427): AccessDeniedException:
status code: 403, request id: 1816cf65-e8e3-43e0-9761-5ee96162faa7
aws:lambda:Function (aca-function):
error: refreshing urn:pulumi:dev::axial::aws:lambda/function:Function::aca-function: 1 error occurred:
* reading Lambda Function (aca-function-f91f427): AccessDeniedException:
status code: 403, request id: 297e078c-bffa-48df-b970-4a7374b33e39
pulumi refresh
from the command line and it completed successfully, correctly noting that the resources had been deleted:
- ├─ aws:lambda:FunctionEventInvokeConfig aca-invoke deleted (1s)
├─ command:local:Command axial-get-date
├─ pulumi:pulumi:StackReference monolith-corp/trc/dev
- ├─ aws:lambda:Function aca-function deleted (1s)
- └─ aws:ec2:Instance axial-instance deleted (1s)
aws:assumeRole
was not respectedlemon-agent-27707
04/30/2023, 12:55 PMfresh-spring-82225
05/01/2023, 5:07 AMlemon-agent-27707
05/01/2023, 2:03 PMdry-journalist-60579
05/01/2023, 3:05 PMfresh-spring-82225
05/01/2023, 4:14 PMaws:assumeRole
set as follows:
aws:assumeRole:
roleArn: arn:aws:iam::APP_ACCT_ID:role/AWSControlTowerExecution
The error messages I’m now seeing on running update in pulumi deployments:
command:local:Command [...] creating (12s) An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts:MGT_ACCT_ID:assumed-role/PulumiDeploymentsRole/pulumi is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
which tells me the assumeRole
setting in my Pulumi.dev.yaml
file isn’t taking effectdry-journalist-60579
05/01/2023, 4:20 PMimport pulumi
import pulumi_aws as aws
import json
# Create OIDC provider for Pulumi Deployments
oidc_provider = aws.iam.OpenIdConnectProvider(
"Pulumi OIDC Provider",
client_id_lists=["myorg"],
thumbprint_lists=["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"],
url="<https://api.pulumi.com/oidc>",
)
oidc_provider_role = aws.iam.Role(
"Pulumi OIDC Provider Role",
name="PulumiOIDC",
assume_role_policy=oidc_provider.arn.apply(
lambda arn: json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": arn,
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<http://api.pulumi.com/oidc:aud|api.pulumi.com/oidc:aud>": "myorg",
}
},
}
],
}
)
),
managed_policy_arns=["arn:aws:iam::aws:policy/AdministratorAccess"],
)
pulumi.export("PulumiOIDCRoleArn", oidc_provider_role.arn)
fresh-spring-82225
05/01/2023, 6:42 PMdry-journalist-60579
05/01/2023, 6:46 PM