sparse-intern-71089
05/02/2023, 6:01 PMfresh-spring-82225
05/02/2023, 6:05 PMaws:assumeRole
fresh-spring-82225
05/02/2023, 6:11 PMaws ecr get-login-password
command is the problem …dry-journalist-60579
05/02/2023, 6:19 PMfresh-spring-82225
05/02/2023, 6:23 PMfresh-spring-82225
05/02/2023, 6:23 PMfresh-spring-82225
05/02/2023, 6:24 PMdry-journalist-60579
05/02/2023, 6:32 PMfresh-spring-82225
05/02/2023, 6:36 PMlocal.Command
(or local.run
which I just discovered lol) of the aws cli, it runs as the original role and not the aws:assumeRole
. So the result of executing this code is this:
current caller identity: arn:aws:sts::APP_ACCT_ID:assumed-role/AWSControlTowerExecution/aws-go-sdk-1683051997761320969
{
"UserId": "USER_ID:pulumi",
"Account": "MGT_ACCT_ID",
"Arn": "arn:aws:sts:MGT_ACCT_ID:assumed-role/PulumiOIDC/pulumi"
}
fresh-spring-82225
05/02/2023, 6:58 PMaws.ecr.getAuthorizationTokenOutput
instead of running local.Command
with aws ecr get-login-password
then it worksdry-journalist-60579
05/02/2023, 9:23 PMfresh-spring-82225
05/04/2023, 7:12 PMdry-journalist-60579
05/04/2023, 8:12 PMinfrastructure
with all our Pulumi projects. Each Pulumi project uses Pulumi Deployments set up via GitHub integration to deploy the infrastructure that will act as a … “receptacle” for our application. Our application lives in another repo with its own CI/CD process on BuildKite (but could be GitHub Actions) where the images are built and pushed to the registrydry-journalist-60579
05/04/2023, 8:12 PMfresh-spring-82225
05/04/2023, 9:36 PM