This might be a question with a short answer but I did not find it in the docs: I'm on AWS. How do I configure the role to assume when using

LocalWorkspace.createOrSelectStack

? Here's the relevant section of my code; I've marked the line where I think the info needs to go.

const stack = await LocalWorkspace.createOrSelectStack(
    {
        projectName: config.projectName,
        stackName: config.stackName,
        program: config.program,
    },
    {
        projectSettings: {
            name: config.projectName,
            runtime: "nodejs",
            backend: { url },
        },
        secretsProvider,
        stackSettings: {
            [config.stackName]: {
                secretsProvider,
                config: {
                    "aws:region": config.region,
                    // --- I guess this is where I need to put the role ARN? -- But what's the key? --- 
                },
            },
        },
    }
)

(Background: I'm working with multiple accounts - The CI role executing this program and the S3 backend specified by the

url

don't live on the account where I want to deploy the stack. So I have two roles: A CI role that is used by the CI runner. This role is allowed to assume a second role on the target account for the stack)

There is no way (afaik) to specify the provider used to access the backend: this has to be done using the normal AWS methods, usually via AWS_PROFILE, or the AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY pair. Profiles can be role-assuming profiles, or you can manually assume the role and get the access key of the assumed role into the access key env vars. For all other uses, you can create AWS providers that do what you need and pass them to the various resource constructors.

Hi @little-cartoon-10569 - thanks for your response. I'm not sure I explained my problem sufficiently so here's some more information.

specify the provider

that's not what i want ~ I'd like to specify a role

normal AWS methods, usually [...]

this is already done in my case by using the OpenID Connect method on github actions (via

aws-actions/configure-aws-credentials

)

access the backend

accessing the backend is not the issue. Here's a sketch of the situation I'm in:

[ AWS Account: 'security'
  - has a role 'CI-Role'
  - has the backend infra (S3 bucket + KMS key)
]

[ AWS Account: 'production'
   - this is where the stack needs to be deployed
   - has a role 'Deployment-Role' that has all the permissions required for the stack
   - the CI-Role is allowed to assume the Deployment-Role
]

Now in my pipeline, the CI Runner assumes the

CI-Role

via OpenID Connect (i think this configures the

ACCESS_KEY

credentials as env variables on the machine hosting the runner). This runner then executes the PulumiFN. But it needs to use two roles: The

CI-Role

to access the backend hosted on the

security

account and the

Deployment-Role

to deploy the stack on the

production

account.

You said that you don't want to specify the provider and you'd like to specify a role. These are the same thing: the provider is the Pulumi object that tells Pulumi which credentials to use. You set the role into the provider. Have a look here: https://www.pulumi.com/registry/packages/aws/api-docs/provider/ Check out properties like assume_role, assume_role_with_web_identity and profile (AWS profiles allow you to specify roles too).

Yes I know. But from what I've gathered, the automation API is an interface to the CLI (which I assume internally specifies a provider) and I guess at the CLI level it's possible to specify a role?

Your code specifies the provider. That's where you specify the role. In your Pulumi code.