late-piano-64593
07/27/2023, 8:59 PMs3://...
?stocky-restaurant-98004
07/28/2023, 3:07 PMpulumi up
. You can pass a profile to pulumi login
for S3 state file storage, whereas the principal for pulumi up
is determined either by either provider config or the standard AWS credentials chain (AWS_PROFILE
, security keys, etc.)late-piano-64593
07/28/2023, 5:17 PMbackend.url
in Pulumi.yaml
when I switched between accounts correct?
I could solve this with bucket policies and skip the assume-role but I feel like thats not the "right" way to do it. I might be missing something though.url
field when switching between accounts. Does that mean that the current design requires that my dev account have full permissions to accidentally overwrite the state bucket of prod?stocky-restaurant-98004
08/09/2023, 8:08 PMdev/
folder.late-piano-64593
08/09/2023, 8:55 PMbackend.url
in the stack level settings ex: Pulumi.dev.yaml
? TIL! Is there a documentation of that schema somewhere?stocky-restaurant-98004
08/10/2023, 1:36 PM{{ backend.url}}/{{ project }}/ {{ stack }}
, or the a backend.url per-project if it's just {{ backend.url}}/{{ stack }}
. I would guess it's the former, but IDK for sure.late-piano-64593
08/10/2023, 5:38 PMbackend.url
for the project then if pulumi only touched specific sub directories in that root, per stack I could scope the S3 permissions correctly to prevent accountA (dev) from being able to Put/Get in AccountB (prod)'s stacks. But right now in s3 in the backend.url
root is just a .pulumi/
with some high level meta data and then the stacks/
directory below that.stocky-restaurant-98004
08/11/2023, 4:59 PMbackend.url
for everything: https://www.pulumi.com/blog/project-scoped-stacks-in-self-managed-backend/late-piano-64593
08/12/2023, 4:08 PMpulumi state upgrade
so far has not changed the structure in s3 to match that folder structure but I am gonna try migrating to a new bucket next week.backups
history
stacks
etc, then encode the specific stack names into those resource rules.
Its possible but it means that I would need to update the IAM everytime I need to add a new stack. (if for example the dev AWS account might have multiple stacks in it while prod only has 1)