magnificent-pillow-80370
07/07/2023, 1:40 PMaws_provider
. the backend is S3. For each role and account, Pulumi saves sensitive data like access_key and secret_key
in S3 backend stack file.
Is there a way to delete the custom aws_provider related data once stack has been executed ?
class AwsAssumeRole(ComponentResource):
"""
Resource component to define the AWS role chaining to assume roles in different accounts
"""
def __init__(self, name: str, role_name, region="us-east-1", account=None, opts=None):
"""
constructor for discovery of the current account id.
:param name:
:param opts:
"""
super().__init__(f"edge_network:modules:aws_role_chaining_{account}_{role_name}_{region}", name, opts)
self.account = account
sts_client = boto3.client("sts")
assume_role = sts_client.assume_role(
RoleArn=f"arn:aws:iam::{self.account}:role/{role_name}",
RoleSessionName=f"{role_name}",
)
# Set assumed role credentials
assumed_role_credentials = assume_role["Credentials"]
# Create the AWS provider with temporary credentials
aws_provider = Provider(f"aws_provider_for_role_{role_name}_{account}_{region}",
access_key=assumed_role_credentials["AccessKeyId"],
secret_key=assumed_role_credentials["SecretAccessKey"],
token=assumed_role_credentials["SessionToken"],
region=region,
)
self.provider = aws_provider
aws_caller_identity = aws.get_caller_identity(opts=InvokeOptions(provider=aws_provider))
export("current_assumed_role_arn", aws_caller_identity.arn)
magnificent-pillow-80370
07/11/2023, 11:14 AM