hallowed-carpet-28381
07/26/2023, 11:20 AMpulumi stack change-secrets-provider
? Right now just investigate possible way to solve migration case, need to migrate stacks that use KMS
from one AWS account
to another, for example stack using kms-aws-acc1
, in target account this key doesn’t exist, so I would change it e.g to kms-aws-acc2
, but what can be a problem - I think command works in this way : decrypt secrets using key1 -> using key2 encrypt it again, so pulumi should have an access to both keys in one time. It okay to solve using some cross-accounts IAM roles
etc., but we can’t specify something source account for each key
, so pulumi don’t know into which account key is stored, where it should looking for. Please, let me know if someone have similar case, it’s just my thoughts.
And I think about something like intermediate secretProvider
: change secret-provider from key1
-> default
or passphrase
-> change aws:allowedAccountIds
, change role to target account -> change secret-provider to key2
that available in the account
Does it’s possible what I have described? Please, let me know your thoughts, experience
Thanks!hallowed-carpet-28381
07/26/2023, 2:00 PMfierce-ability-58936
07/26/2023, 9:54 PMhallowed-carpet-28381
07/27/2023, 12:20 PM