https://pulumi.com logo
Title
f

fresh-spring-82225

05/17/2023, 1:29 AM
I’m having some trouble with
aws:assumeRole
. For the most part it works, but I just ran into a situation where pulumi fails to delete a resource, seemingly because it’s trying to do so without the
assumeRole
credentials. I have the following in my stack yaml:
aws:assumeRole:
    roleArn: arn:aws:iam::WORKFLOW_ACCT_ID:role/AWSControlTowerExecution
I run
pulumi up
after assuming a role in the management account on the cli. I have a log statement in my pulumi program that shows that
assumeRole
is in effect and the caller id is for the workflow acount. But it fails to delete a resource, saying the management account id isn’t allowed:
Diagnostics:
  aws:ecr:LifecyclePolicy (axial-stream-repo):
    error: 1 error occurred:
    	* AWS Account ID not allowed: MGT_ACCT_ID

  pulumi:pulumi:Stack (axial-stream-dev):
    current caller identity: arn:aws:sts::WORKFLOW_ACCT_ID:assumed-role/AWSControlTowerExecution/aws-go-sdk-1684286516770199000
    IMAGE_TAG: latest
    error: update failed
Wondering if @dry-journalist-60579 has run into this issue 👀
d

dry-journalist-60579

05/17/2023, 1:21 PM
Hmm oh whoa, I’ve never seen that…
Maybe ask ChatGPT what it thinks about it? Maybe there is some sort of policy set on one of the accounts that prevents certain actions?
f

fresh-spring-82225

05/17/2023, 3:14 PM
The odd part is that it’s complaining about the mgt account, when it’s supposed to have assumed a role in the workflow account …
d

dry-journalist-60579

05/17/2023, 3:46 PM
hmm weird 🙁
f

fresh-spring-82225

05/17/2023, 9:58 PM
yeah this would be a blocker for me adopting pulumi deployments