sparse-intern-71089
07/11/2023, 3:45 PMlittle-cartoon-10569
07/11/2023, 8:34 PMjolly-megabyte-6233
07/12/2023, 8:54 AMspecify the providerthat's not what i want ~ I'd like to specify a role
normal AWS methods, usually [...]this is already done in my case by using the OpenID Connect method on github actions (via
aws-actions/configure-aws-credentials
)
access the backendaccessing the backend is not the issue. Here's a sketch of the situation I'm in:
[ AWS Account: 'security'
- has a role 'CI-Role'
- has the backend infra (S3 bucket + KMS key)
]
[ AWS Account: 'production'
- this is where the stack needs to be deployed
- has a role 'Deployment-Role' that has all the permissions required for the stack
- the CI-Role is allowed to assume the Deployment-Role
]
Now in my pipeline, the CI Runner assumes the CI-Role
via OpenID Connect (i think this configures the ACCESS_KEY
credentials as env variables on the machine hosting the runner). This runner then executes the PulumiFN.
But it needs to use two roles: The CI-Role
to access the backend hosted on the security
account and the Deployment-Role
to deploy the stack on the production
account.little-cartoon-10569
07/12/2023, 7:35 PMjolly-megabyte-6233
07/13/2023, 8:27 AMlittle-cartoon-10569
07/16/2023, 1:58 AMlittle-cartoon-10569
07/16/2023, 2:01 AM[profile assuming-role]
role_arn = arn:aws:iam::therestOfTheARN
source_profile = theOriginalProfileWithAccessKey
Then you can use that profile in your provider:
const providerUsingProfileThatSpecifiesARoleToAssume = new aws.Provider("roleAssuming", {
region: "us-west-2",
profile: "assuming-role"
}
little-cartoon-10569
07/16/2023, 2:05 AMconst providerAssumingARole = new aws.Provider("roleAssuming", {
region: "us-west-2",
assumeRole: {
roleArn: "arn:aws:iam::therestOfTheARN",
sessionName: "someString",
sourceIdentity: "theOriginalProfileWithAccessKey"
}
}
little-cartoon-10569
07/16/2023, 2:05 AMlittle-cartoon-10569
07/16/2023, 2:06 AM