Is it possible with `aws.Provider` to switch aws p...
# aws
Is it possible with
to switch aws profiles back and forth and deploy to multiple AWS accounts at once?
Use different providers for this. One provider is locked to one set of creds / profile, etc.
You can have as many providers as you like at one time though.
So I tried setting 2 providers
Copy code
const prodProfile = new aws.Provider('prodProvider', { profile: 'prod-admin', region: 'us-west-2', allowedAccountIds: ['########'] });
const defaultProvider = new aws.Provider('defaultProvider', { profile: 'stage-admin', region: 'us-west-2', allowedAccountIds: [awsAccount] });
but I get an assume role error
That's a separate problem. If the creds you're using to assume a role don't have permission to assume that role, then you'll get an assume role error.
But you can still use multiple providers to deploy resources to multiple accounts / regions within the same project.
so is the problem that the pulumi info in one account can't be accessed by the other because it needs assume role privelages?
Copy code
let zone = new aws.route53.Zone(name, { name, comment }, {
        provider: defaultProvider,
        protect: true,
        ignoreChanges: ['comment']
const configureProdDNS = new aws.route53.Record(`${name}-prod-dns`, {
                zoneId: zone.zoneId,
                type: "NS",
                ttl: 30,
                records: zone.nameServers,
            }, { provider: prodProfile, dependsOn: [zone, cert, certRecord] });
I figured it would pull the info on the pulumi side and share, but it sounds like it tries to access the zone info via an assume role?
The assume role is something you've set up. Pulumi doesn't do that. Maybe the profile you're using uses source_profile and role_arn? Or the profile you're constructing uses the assumeRole property?
Would you like to ask a new question about this code snippet?
Getting info out of a resource from one account into the constructor of a resource that will go to another account is normal. Pulumi handles this, the info itself isn't locked to any account.
I never setup assume role...
So you are doing the right thing.
If you can't use a profile because of a role assumption error, then the problem is only with the profile.
Have you checked your "prod-admin" and "stage-admin" profiles?
What sort of creds do they use?
they are sts roles
Using access key id and secret access key? Or source profile and role ARN?
saml sts token
Doesn't that assume a role?
Maybe your session token has expired
It uses an aws credentials profile and the tokens are not expired, but I will test with non STS key and secret
You need 2 profiles though, right?
You've listed 2 profiles in your snippet above.
@little-cartoon-10569 thanks for your assistance. I realized I was putting the zoneid from a seperate account and not the one from the account I was creating it in.