fresh-spring-82225
05/02/2023, 6:01 PMarn:aws:sts::MGT_ACCT_ID:assumed-role/PulumiOIDC/pulumi
in my control tower management account
• in Pulumi.dev.yaml
I have aws:assumeRole
set to arn:aws:iam::APP_ACCT_ID:role/AWSControlTowerExecution
• when I log the result of aws.getCallerIdentity
I get arn:aws:sts::APP_ACCT_ID:assumed-role/AWSControlTowerExecution/aws-go-sdk-1683049420464527015
, which shows me that `aws:assumeRole`is working
• … but I’m no longer able to push a docker image to ecr. It seems the code invoked by docker.Image
doesn’t use the role given by `aws:assumeRole`:
docker:index:Image APP_IMAGE updating (1s) [diff: ~build];
warning: Failed to pull cached image <http://APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO:latest|APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO:latest>:
Error pulling cached image <http://APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO:latest|APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO:latest>:
Error response from daemon: pull access denied for <http://APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO|APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO>,
repository does not exist or may require 'docker login': denied:
User: arn:aws:sts::MGT_ACCT_ID:assumed-role/PulumiOIDC/pulumi is not authorized
to perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-east-2:APP_ACCT_ID:repository/APP_REPO
because no resource-based policy allows the ecr:BatchGetImage action
aws:assumeRole
aws ecr get-login-password
command is the problem …dry-journalist-60579
05/02/2023, 6:19 PMfresh-spring-82225
05/02/2023, 6:23 PMdry-journalist-60579
05/02/2023, 6:32 PMfresh-spring-82225
05/02/2023, 6:36 PMlocal.Command
(or local.run
which I just discovered lol) of the aws cli, it runs as the original role and not the aws:assumeRole
. So the result of executing this code is this:
current caller identity: arn:aws:sts::APP_ACCT_ID:assumed-role/AWSControlTowerExecution/aws-go-sdk-1683051997761320969
{
"UserId": "USER_ID:pulumi",
"Account": "MGT_ACCT_ID",
"Arn": "arn:aws:sts:MGT_ACCT_ID:assumed-role/PulumiOIDC/pulumi"
}
aws.ecr.getAuthorizationTokenOutput
instead of running local.Command
with aws ecr get-login-password
then it worksdry-journalist-60579
05/02/2023, 9:23 PMfresh-spring-82225
05/04/2023, 7:12 PMdry-journalist-60579
05/04/2023, 8:12 PMinfrastructure
with all our Pulumi projects. Each Pulumi project uses Pulumi Deployments set up via GitHub integration to deploy the infrastructure that will act as a … “receptacle” for our application. Our application lives in another repo with its own CI/CD process on BuildKite (but could be GitHub Actions) where the images are built and pushed to the registryfresh-spring-82225
05/04/2023, 9:36 PM