I m having some trouble with `aws assumeRole` For the most p Pulumi Community #aws

I’m having some trouble with `aws:assumeRole`. For...

fresh-spring-82225

05/17/2023, 1:29 AM

I’m having some trouble with

aws:assumeRole

. For the most part it works, but I just ran into a situation where pulumi fails to delete a resource, seemingly because it’s trying to do so without the

assumeRole

credentials. I have the following in my stack yaml:

Copy code

aws:assumeRole:
    roleArn: arn:aws:iam::WORKFLOW_ACCT_ID:role/AWSControlTowerExecution

I run

pulumi up

after assuming a role in the management account on the cli. I have a log statement in my pulumi program that shows that

assumeRole

is in effect and the caller id is for the workflow acount. But it fails to delete a resource, saying the management account id isn’t allowed:

Copy code

Diagnostics:
  aws:ecr:LifecyclePolicy (axial-stream-repo):
    error: 1 error occurred:
    	* AWS Account ID not allowed: MGT_ACCT_ID

  pulumi:pulumi:Stack (axial-stream-dev):
    current caller identity: arn:aws:sts::WORKFLOW_ACCT_ID:assumed-role/AWSControlTowerExecution/aws-go-sdk-1684286516770199000
    IMAGE_TAG: latest
    error: update failed

fresh-spring-82225

05/17/2023, 1:32 AM

Wondering if @dry-journalist-60579 has run into this issue 👀

dry-journalist-60579

05/17/2023, 1:21 PM

Hmm oh whoa, I’ve never seen that…

dry-journalist-60579

05/17/2023, 1:22 PM

Maybe ask ChatGPT what it thinks about it? Maybe there is some sort of policy set on one of the accounts that prevents certain actions?

fresh-spring-82225

05/17/2023, 3:14 PM

The odd part is that it’s complaining about the mgt account, when it’s supposed to have assumed a role in the workflow account …

dry-journalist-60579

05/17/2023, 3:46 PM

hmm weird 🙁

fresh-spring-82225

05/17/2023, 9:58 PM

yeah this would be a blocker for me adopting pulumi deployments

Open in Slack

Previous Next