https://pulumi.com logo
#aws
Title
s

swift-fireman-31153

08/01/2023, 11:29 PM
Is it possible with
aws.Provider
to switch aws profiles back and forth and deploy to multiple AWS accounts at once?
l

little-cartoon-10569

08/02/2023, 12:18 AM
Use different providers for this. One provider is locked to one set of creds / profile, etc.
You can have as many providers as you like at one time though.
s

swift-fireman-31153

08/02/2023, 12:19 AM
So I tried setting 2 providers
Copy code
const prodProfile = new aws.Provider('prodProvider', { profile: 'prod-admin', region: 'us-west-2', allowedAccountIds: ['########'] });
const defaultProvider = new aws.Provider('defaultProvider', { profile: 'stage-admin', region: 'us-west-2', allowedAccountIds: [awsAccount] });
but I get an assume role error
l

little-cartoon-10569

08/02/2023, 12:23 AM
That's a separate problem. If the creds you're using to assume a role don't have permission to assume that role, then you'll get an assume role error.
But you can still use multiple providers to deploy resources to multiple accounts / regions within the same project.
s

swift-fireman-31153

08/02/2023, 12:24 AM
so is the problem that the pulumi info in one account can't be accessed by the other because it needs assume role privelages?
Copy code
let zone = new aws.route53.Zone(name, { name, comment }, {
        provider: defaultProvider,
        protect: true,
        ignoreChanges: ['comment']
    });
const configureProdDNS = new aws.route53.Record(`${name}-prod-dns`, {
                name: zone.name,
                zoneId: zone.zoneId,
                type: "NS",
                ttl: 30,
                records: zone.nameServers,
            }, { provider: prodProfile, dependsOn: [zone, cert, certRecord] });
I figured it would pull the info on the pulumi side and share, but it sounds like it tries to access the zone info via an assume role?
l

little-cartoon-10569

08/02/2023, 12:27 AM
The assume role is something you've set up. Pulumi doesn't do that. Maybe the profile you're using uses source_profile and role_arn? Or the profile you're constructing uses the assumeRole property?
Would you like to ask a new question about this code snippet?
Getting info out of a resource from one account into the constructor of a resource that will go to another account is normal. Pulumi handles this, the info itself isn't locked to any account.
s

swift-fireman-31153

08/02/2023, 12:28 AM
I never setup assume role...
l

little-cartoon-10569

08/02/2023, 12:28 AM
So you are doing the right thing.
If you can't use a profile because of a role assumption error, then the problem is only with the profile.
Have you checked your "prod-admin" and "stage-admin" profiles?
What sort of creds do they use?
s

swift-fireman-31153

08/02/2023, 12:29 AM
they are sts roles
l

little-cartoon-10569

08/02/2023, 12:30 AM
Using access key id and secret access key? Or source profile and role ARN?
s

swift-fireman-31153

08/02/2023, 12:31 AM
saml sts token
l

little-cartoon-10569

08/02/2023, 12:31 AM
Doesn't that assume a role?
Maybe your session token has expired
s

swift-fireman-31153

08/02/2023, 12:32 AM
It uses an aws credentials profile and the tokens are not expired, but I will test with non STS key and secret
l

little-cartoon-10569

08/02/2023, 12:33 AM
You need 2 profiles though, right?
You've listed 2 profiles in your snippet above.
s

swift-fireman-31153

08/02/2023, 12:34 AM
yes
@little-cartoon-10569 thanks for your assistance. I realized I was putting the zoneid from a seperate account and not the one from the account I was creating it in.