i thought about maybe setting `aws defaultTags` in the confi Pulumi Community #aws

i thought about maybe setting `aws:defaultTags` in...

icy-controller-6092

07/06/2023, 6:24 AM

i thought about maybe setting

aws:defaultTags

in the config, and then trying to write a policy for the deployment user that allows it to work with any resources that have the

user:Project=myproject

tag

little-cartoon-10569

07/06/2023, 8:30 PM

Assuming that you're talking about running Pulumi from an EC2 instance, and you want it to have all the required privileges, then I don't think either of these will be a good way to put a boundary on the permissions. New resources won't have any existing tags, so you can't say "create resource X if resource X has tag Y".

little-cartoon-10569

07/06/2023, 8:31 PM

Also: why do you need a user? A role should be enough. A role has the advantage that it can be applied to an EC2 instance profile, or used by anything else that should have the same permissions.

little-cartoon-10569

07/06/2023, 8:31 PM

You may want to deploy Pulumi using an SSO-authenticated user, and you wouldn't be able to use your IAM user in that case.

little-cartoon-10569

07/06/2023, 8:33 PM

A simpler idea would be to give your Pulumi creds full admin privileges for accounts that Pulumi can manage, and don't allow Pulumi any access to sensitive accounts (e.g. billing). Use the account as the boundary.

icy-controller-6092

07/06/2023, 11:22 PM

New resources won't have any existing tags, so you can't say "create resource X if resource X has tag Y".

I think I might have got this working, just need to use

aws:RequestTag

instead of

aws:ResourceTag

icy-controller-6092

07/06/2023, 11:23 PM

I'm also working solo so deployments run from my local machine for now, and I want to avoid creating an access key for my root account so I needed another user for local laptop deploys

icy-controller-6092

07/06/2023, 11:28 PM

Here's the pulumi YAML config and then two IAM inline policies I have on the user, and it seems to be working well. 1. pulumi config:

Copy code

config:
  aws:defaultTags:
    tags:
      user:Project: my_pulumi_project

2. tagging policy

Copy code

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "tag:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/user:Project": "my_pulumi_project"
        }
      }
    }
  ]
}

3. manage resources

Copy code

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:*",
        "s3:*",
        "lambda:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/user:Project": "my_pulumi_project"
        }
      }
    }
  ]
}

icy-controller-6092

07/06/2023, 11:31 PM

it's probably not as secure as it could be, and I may run into other issues as I haven't tested a deploy or teardown of my full stack - but I guess it's a step up from what I was doing previously, which was using root account access key

little-cartoon-10569

07/07/2023, 1:23 AM

If you're using your root account at all, for anything, then you're not really compromising yourself any further by using IAM user with admin access for Pulumi. Anything you do that's better than that, is good :)

2 Views

Open in Slack

Previous Next