https://pulumi.com logo
#python
Title
# python
m

magnificent-pillow-80370

07/07/2023, 1:40 PM
I have a custom resource which I use to assume different roles in different account using custom
aws_provider
. the backend is S3. For each role and account, Pulumi saves sensitive data like
access_key and secret_key
in S3 backend stack file. Is there a way to delete the custom aws_provider related data once stack has been executed ?
Copy code
class AwsAssumeRole(ComponentResource):
    """
    Resource component to define the AWS role chaining to assume roles in different accounts
    """

    def __init__(self, name: str, role_name, region="us-east-1", account=None, opts=None):
        """
        constructor for discovery of the current account id.
        :param name:
        :param opts:
        """
        super().__init__(f"edge_network:modules:aws_role_chaining_{account}_{role_name}_{region}", name, opts)

        self.account = account

        sts_client = boto3.client("sts")
        assume_role = sts_client.assume_role(
            RoleArn=f"arn:aws:iam::{self.account}:role/{role_name}",
            RoleSessionName=f"{role_name}",
        )

        # Set assumed role credentials
        assumed_role_credentials = assume_role["Credentials"]

 

   

        # Create the AWS provider with temporary credentials
        aws_provider = Provider(f"aws_provider_for_role_{role_name}_{account}_{region}",
                                access_key=assumed_role_credentials["AccessKeyId"],
                                secret_key=assumed_role_credentials["SecretAccessKey"],
                                token=assumed_role_credentials["SessionToken"],
                                region=region,
                                
                                )
        self.provider = aws_provider

        aws_caller_identity = aws.get_caller_identity(opts=InvokeOptions(provider=aws_provider))
        export("current_assumed_role_arn", aws_caller_identity.arn)
any guidance would be helpful