https://pulumi.com logo
#automation-api
Title
# automation-api
j

jolly-megabyte-6233

07/11/2023, 3:45 PM
This might be a question with a short answer but I did not find it in the docs: I'm on AWS. How do I configure the role to assume when using
LocalWorkspace.createOrSelectStack
? Here's the relevant section of my code; I've marked the line where I think the info needs to go.
Copy code
const stack = await LocalWorkspace.createOrSelectStack(
    {
        projectName: config.projectName,
        stackName: config.stackName,
        program: config.program,
    },
    {
        projectSettings: {
            name: config.projectName,
            runtime: "nodejs",
            backend: { url },
        },
        secretsProvider,
        stackSettings: {
            [config.stackName]: {
                secretsProvider,
                config: {
                    "aws:region": config.region,
                    // --- I guess this is where I need to put the role ARN? -- But what's the key? --- 
                },
            },
        },
    }
)
(Background: I'm working with multiple accounts - The CI role executing this program and the S3 backend specified by the
url
don't live on the account where I want to deploy the stack. So I have two roles: A CI role that is used by the CI runner. This role is allowed to assume a second role on the target account for the stack)
l

little-cartoon-10569

07/11/2023, 8:34 PM
There is no way (afaik) to specify the provider used to access the backend: this has to be done using the normal AWS methods, usually via AWS_PROFILE, or the AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY pair. Profiles can be role-assuming profiles, or you can manually assume the role and get the access key of the assumed role into the access key env vars. For all other uses, you can create AWS providers that do what you need and pass them to the various resource constructors.
j

jolly-megabyte-6233

07/12/2023, 8:54 AM
Hi @little-cartoon-10569 - thanks for your response. I'm not sure I explained my problem sufficiently so here's some more information.
specify the provider
that's not what i want ~ I'd like to specify a role
normal AWS methods, usually [...]
this is already done in my case by using the OpenID Connect method on github actions (via
aws-actions/configure-aws-credentials
)
access the backend
accessing the backend is not the issue. Here's a sketch of the situation I'm in:
Copy code
[ AWS Account: 'security'
  - has a role 'CI-Role'
  - has the backend infra (S3 bucket + KMS key)
]

[ AWS Account: 'production'
   - this is where the stack needs to be deployed
   - has a role 'Deployment-Role' that has all the permissions required for the stack
   - the CI-Role is allowed to assume the Deployment-Role
]
Now in my pipeline, the CI Runner assumes the
CI-Role
via OpenID Connect (i think this configures the
ACCESS_KEY
credentials as env variables on the machine hosting the runner). This runner then executes the PulumiFN. But it needs to use two roles: The
CI-Role
to access the backend hosted on the
security
account and the
Deployment-Role
to deploy the stack on the
production
account.
l

little-cartoon-10569

07/12/2023, 7:35 PM
You said that you don't want to specify the provider and you'd like to specify a role. These are the same thing: the provider is the Pulumi object that tells Pulumi which credentials to use. You set the role into the provider. Have a look here: https://www.pulumi.com/registry/packages/aws/api-docs/provider/ Check out properties like assume_role, assume_role_with_web_identity and profile (AWS profiles allow you to specify roles too).
j

jolly-megabyte-6233

07/13/2023, 8:27 AM
Yes I know. But from what I've gathered, the automation API is an interface to the CLI (which I assume internally specifies a provider) and I guess at the CLI level it's possible to specify a role?
l

little-cartoon-10569

07/16/2023, 1:58 AM
Your code specifies the provider. That's where you specify the role. In your Pulumi code.
One way is to use a profile in your AWS config that assumes a role:
Copy code
[profile assuming-role]
role_arn = arn:aws:iam::therestOfTheARN
source_profile = theOriginalProfileWithAccessKey
Then you can use that profile in your provider:
Copy code
const providerUsingProfileThatSpecifiesARoleToAssume = new aws.Provider("roleAssuming", {
  region: "us-west-2",
  profile: "assuming-role"
}
Another way is to assume the role in the provider directly:
Copy code
const providerAssumingARole = new aws.Provider("roleAssuming", {
  region: "us-west-2",
  assumeRole: {
    roleArn: "arn:aws:iam::therestOfTheARN",
    sessionName: "someString",
    sourceIdentity: "theOriginalProfileWithAccessKey"
  }
}
Then you can pass those providers into your resource constructors.
Note: I haven't testing the above code. In particular, I don't know what a valid "sourceIdentity" looks like. But hopefully it's something like that.
5 Views