Is it possible with `aws.Provider` to switch aws p...
# awss
swift-fireman-31153
08/01/2023, 11:29 PMIs it possible with
aws.Providerl
little-cartoon-10569
08/02/2023, 12:18 AMUse different providers for this. One provider is locked to one set of creds / profile, etc.
little-cartoon-10569
08/02/2023, 12:18 AMYou can have as many providers as you like at one time though.
s
swift-fireman-31153
08/02/2023, 12:19 AMSo I tried setting 2 providers
swift-fireman-31153
08/02/2023, 12:19 AM Copy code
const prodProfile = new aws.Provider('prodProvider', { profile: 'prod-admin', region: 'us-west-2', allowedAccountIds: ['########'] });
const defaultProvider = new aws.Provider('defaultProvider', { profile: 'stage-admin', region: 'us-west-2', allowedAccountIds: [awsAccount] });swift-fireman-31153
08/02/2023, 12:20 AMbut I get an assume role error
l
little-cartoon-10569
08/02/2023, 12:23 AMThat's a separate problem. If the creds you're using to assume a role don't have permission to assume that role, then you'll get an assume role error.
little-cartoon-10569
08/02/2023, 12:23 AMBut you can still use multiple providers to deploy resources to multiple accounts / regions within the same project.
s
swift-fireman-31153
08/02/2023, 12:24 AMso is the problem that the pulumi info in one account can't be accessed by the other because it needs assume role privelages?
swift-fireman-31153
08/02/2023, 12:25 AM Copy code
let zone = new aws.route53.Zone(name, { name, comment }, {
provider: defaultProvider,
protect: true,
ignoreChanges: ['comment']
});
const configureProdDNS = new aws.route53.Record(`${name}-prod-dns`, {
name: zone.name,
zoneId: zone.zoneId,
type: "NS",
ttl: 30,
records: zone.nameServers,
}, { provider: prodProfile, dependsOn: [zone, cert, certRecord] });swift-fireman-31153
08/02/2023, 12:25 AMI figured it would pull the info on the pulumi side and share, but it sounds like it tries to access the zone info via an assume role?
l
little-cartoon-10569
08/02/2023, 12:27 AMThe assume role is something you've set up. Pulumi doesn't do that. Maybe the profile you're using uses source_profile and role_arn? Or the profile you're constructing uses the assumeRole property?
little-cartoon-10569
08/02/2023, 12:27 AMWould you like to ask a new question about this code snippet?
little-cartoon-10569
08/02/2023, 12:28 AMGetting info out of a resource from one account into the constructor of a resource that will go to another account is normal. Pulumi handles this, the info itself isn't locked to any account.
s
swift-fireman-31153
08/02/2023, 12:28 AMI never setup assume role...
l
little-cartoon-10569
08/02/2023, 12:28 AMSo you are doing the right thing.
little-cartoon-10569
08/02/2023, 12:28 AMIf you can't use a profile because of a role assumption error, then the problem is only with the profile.
little-cartoon-10569
08/02/2023, 12:29 AMHave you checked your "prod-admin" and "stage-admin" profiles?
little-cartoon-10569
08/02/2023, 12:29 AMWhat sort of creds do they use?
s
swift-fireman-31153
08/02/2023, 12:29 AMthey are sts roles
l
little-cartoon-10569
08/02/2023, 12:30 AMUsing access key id and secret access key? Or source profile and role ARN?
s
swift-fireman-31153
08/02/2023, 12:31 AMsaml sts token
l
little-cartoon-10569
08/02/2023, 12:31 AMDoesn't that assume a role?
little-cartoon-10569
08/02/2023, 12:32 AMMaybe your session token has expired
s
swift-fireman-31153
08/02/2023, 12:32 AMIt uses an aws credentials profile and the tokens are not expired, but I will test with non STS key and secret
l
little-cartoon-10569
08/02/2023, 12:33 AMYou need 2 profiles though, right?
little-cartoon-10569
08/02/2023, 12:33 AMYou've listed 2 profiles in your snippet above.
s
swift-fireman-31153
08/02/2023, 12:34 AMyes
swift-fireman-31153
08/02/2023, 6:23 PM@little-cartoon-10569 thanks for your assistance. I realized I was putting the zoneid from a seperate account and not the one from the account I was creating it in.