fresh-spring-82225
05/17/2023, 1:29 AMaws:assumeRole
. For the most part it works, but I just ran into a situation where pulumi fails to delete a resource, seemingly because it’s trying to do so without the assumeRole
credentials.
I have the following in my stack yaml:
aws:assumeRole:
roleArn: arn:aws:iam::WORKFLOW_ACCT_ID:role/AWSControlTowerExecution
I run pulumi up
after assuming a role in the management account on the cli. I have a log statement in my pulumi program that shows that assumeRole
is in effect and the caller id is for the workflow acount. But it fails to delete a resource, saying the management account id isn’t allowed:
Diagnostics:
aws:ecr:LifecyclePolicy (axial-stream-repo):
error: 1 error occurred:
* AWS Account ID not allowed: MGT_ACCT_ID
pulumi:pulumi:Stack (axial-stream-dev):
current caller identity: arn:aws:sts::WORKFLOW_ACCT_ID:assumed-role/AWSControlTowerExecution/aws-go-sdk-1684286516770199000
IMAGE_TAG: latest
error: update failed
dry-journalist-60579
05/17/2023, 1:21 PMfresh-spring-82225
05/17/2023, 3:14 PMdry-journalist-60579
05/17/2023, 3:46 PMfresh-spring-82225
05/17/2023, 9:58 PM