https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# automation-api
s
This message was deleted.
l
There is no way (afaik) to specify the provider used to access the backend: this has to be done using the normal AWS methods, usually via AWS_PROFILE, or the AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY pair. Profiles can be role-assuming profiles, or you can manually assume the role and get the access key of the assumed role into the access key env vars. For all other uses, you can create AWS providers that do what you need and pass them to the various resource constructors.
j
Hi @little-cartoon-10569 - thanks for your response. I'm not sure I explained my problem sufficiently so here's some more information.
specify the provider
that's not what i want ~ I'd like to specify a role
normal AWS methods, usually [...]
this is already done in my case by using the OpenID Connect method on github actions (via 
aws-actions/configure-aws-credentials
)
access the backend
accessing the backend is not the issue. Here's a sketch of the situation I'm in:
Copy code
[ AWS Account: 'security'
  - has a role 'CI-Role'
  - has the backend infra (S3 bucket + KMS key)
]

[ AWS Account: 'production'
   - this is where the stack needs to be deployed
   - has a role 'Deployment-Role' that has all the permissions required for the stack
   - the CI-Role is allowed to assume the Deployment-Role
]
Now in my pipeline, the CI Runner assumes the 
CI-Role
via OpenID Connect (i think this configures the 
ACCESS_KEY
credentials as env variables on the machine hosting the runner). This runner then executes the PulumiFN. But it needs to use two roles: The 
CI-Role
to access the backend hosted on the 
security
account and the 
Deployment-Role
to deploy the stack on the 
production
account.
l
You said that you don't want to specify the provider and you'd like to specify a role. These are the same thing: the provider is the Pulumi object that tells Pulumi which credentials to use. You set the role into the provider. Have a look here: https://www.pulumi.com/registry/packages/aws/api-docs/provider/ Check out properties like assume_role, assume_role_with_web_identity and profile (AWS profiles allow you to specify roles too).
j
Yes I know. But from what I've gathered, the automation API is an interface to the CLI (which I assume internally specifies a provider) and I guess at the CLI level it's possible to specify a role?
l
Your code specifies the provider. That's where you specify the role. In your Pulumi code.
One way is to use a profile in your AWS config that assumes a role:
Copy code
[profile assuming-role]
role_arn = arn:aws:iam::therestOfTheARN
source_profile = theOriginalProfileWithAccessKey
Then you can use that profile in your provider:
Copy code
const providerUsingProfileThatSpecifiesARoleToAssume = new aws.Provider("roleAssuming", {
  region: "us-west-2",
  profile: "assuming-role"
}
Another way is to assume the role in the provider directly:
Copy code
const providerAssumingARole = new aws.Provider("roleAssuming", {
  region: "us-west-2",
  assumeRole: {
    roleArn: "arn:aws:iam::therestOfTheARN",
    sessionName: "someString",
    sourceIdentity: "theOriginalProfileWithAccessKey"
  }
}
Then you can pass those providers into your resource constructors.
Note: I haven't testing the above code. In particular, I don't know what a valid "sourceIdentity" looks like. But hopefully it's something like that.
5 Views
Open in Slack
PreviousNext
Powered by