https://pulumi.com logo
#aws
Title
# aws
h

hallowed-carpet-28381

07/26/2023, 11:20 AM
Hello, does anyone have used
pulumi stack change-secrets-provider
? Right now just investigate possible way to solve migration case, need to migrate stacks that use
KMS
from one
AWS account
to another, for example stack using
kms-aws-acc1
, in target account this key doesn’t exist, so I would change it e.g to
kms-aws-acc2
, but what can be a problem - I think command works in this way : decrypt secrets using key1 -> using key2 encrypt it again, so pulumi should have an access to both keys in one time. It okay to solve using some cross-accounts
IAM roles
etc., but we can’t specify something source account for each
key
, so pulumi don’t know into which account key is stored, where it should looking for. Please, let me know if someone have similar case, it’s just my thoughts. And I think about something like intermediate
secretProvider
: change secret-provider from
key1
->
default
or
passphrase
-> change
aws:allowedAccountIds
, change role to target account -> change secret-provider to
key2
that available in the account Does it’s possible what I have described? Please, let me know your thoughts, experience Thanks!
tested described approach, all what I mentioned looks correct, intermediate provider will work, but still would be grate in someone can share their experience 🙂
f

fierce-ability-58936

07/26/2023, 9:54 PM
Did you know you can specify an AWS profile for the state backend? https://www.pulumi.com/docs/concepts/state/#aws-s3 Similarly you can set it for the encryption provider - https://www.pulumi.com/docs/concepts/secrets/#available-encryption-providers So the state and the KMS key can be in different accounts.
h

hallowed-carpet-28381

07/27/2023, 12:20 PM
Cool, thanks, it will simplify the process