jolly-megabyte-6233
07/11/2023, 3:45 PMLocalWorkspace.createOrSelectStack
?
Here's the relevant section of my code; I've marked the line where I think the info needs to go.
const stack = await LocalWorkspace.createOrSelectStack(
{
projectName: config.projectName,
stackName: config.stackName,
program: config.program,
},
{
projectSettings: {
name: config.projectName,
runtime: "nodejs",
backend: { url },
},
secretsProvider,
stackSettings: {
[config.stackName]: {
secretsProvider,
config: {
"aws:region": config.region,
// --- I guess this is where I need to put the role ARN? -- But what's the key? ---
},
},
},
}
)
(Background: I'm working with multiple accounts - The CI role executing this program and the S3 backend specified by the url
don't live on the account where I want to deploy the stack. So I have two roles: A CI role that is used by the CI runner. This role is allowed to assume a second role on the target account for the stack)little-cartoon-10569
07/11/2023, 8:34 PMjolly-megabyte-6233
07/12/2023, 8:54 AMspecify the providerthat's not what i want ~ I'd like to specify a role
normal AWS methods, usually [...]this is already done in my case by using the OpenID Connect method on github actions (via
aws-actions/configure-aws-credentials
)
access the backendaccessing the backend is not the issue. Here's a sketch of the situation I'm in:
[ AWS Account: 'security'
- has a role 'CI-Role'
- has the backend infra (S3 bucket + KMS key)
]
[ AWS Account: 'production'
- this is where the stack needs to be deployed
- has a role 'Deployment-Role' that has all the permissions required for the stack
- the CI-Role is allowed to assume the Deployment-Role
]
Now in my pipeline, the CI Runner assumes the CI-Role
via OpenID Connect (i think this configures the ACCESS_KEY
credentials as env variables on the machine hosting the runner). This runner then executes the PulumiFN.
But it needs to use two roles: The CI-Role
to access the backend hosted on the security
account and the Deployment-Role
to deploy the stack on the production
account.little-cartoon-10569
07/12/2023, 7:35 PMjolly-megabyte-6233
07/13/2023, 8:27 AMlittle-cartoon-10569
07/16/2023, 1:58 AM[profile assuming-role]
role_arn = arn:aws:iam::therestOfTheARN
source_profile = theOriginalProfileWithAccessKey
Then you can use that profile in your provider:
const providerUsingProfileThatSpecifiesARoleToAssume = new aws.Provider("roleAssuming", {
region: "us-west-2",
profile: "assuming-role"
}
const providerAssumingARole = new aws.Provider("roleAssuming", {
region: "us-west-2",
assumeRole: {
roleArn: "arn:aws:iam::therestOfTheARN",
sessionName: "someString",
sourceIdentity: "theOriginalProfileWithAccessKey"
}
}