sparse-intern-71089
11/01/2023, 11:52 AMclever-sunset-76585
11/01/2023, 12:32 PMroute53:GetChange
action in the account where you are creating the records.magnificent-soccer-44287
11/01/2023, 12:39 PMmagnificent-soccer-44287
11/01/2023, 12:39 PMmagnificent-soccer-44287
11/01/2023, 12:39 PMmagnificent-soccer-44287
11/01/2023, 12:40 PMmagnificent-soccer-44287
11/01/2023, 12:41 PMmagnificent-soccer-44287
11/01/2023, 12:42 PMclever-sunset-76585
11/01/2023, 12:42 PMmagnificent-soccer-44287
11/01/2023, 12:42 PMno identity-based policy allows the route53:GetChang
but the policy is "*" and used to be "route53:*"magnificent-soccer-44287
11/01/2023, 12:42 PMmagnificent-soccer-44287
11/01/2023, 12:43 PMclever-sunset-76585
11/01/2023, 12:43 PMmagnificent-soccer-44287
11/01/2023, 12:44 PMmagnificent-soccer-44287
11/01/2023, 12:44 PMGetChange on resource: arn:aws:route53:::change/C07579521RPEJQVAFENQO
clever-sunset-76585
11/01/2023, 12:46 PMmagnificent-soccer-44287
11/01/2023, 12:47 PMclever-sunset-76585
11/01/2023, 12:49 PMmagnificent-soccer-44287
11/01/2023, 12:50 PMconst allowedTargetArns = [
rootZone.arn,
"arn:aws:route53:::change/*"
]
const allowedActions = [
"route53:ChangeResourceRecordSets",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
]
clever-sunset-76585
11/01/2023, 12:52 PMchange
ARN format is specific to GetChange
yeah? If so, you could move that to a separate policy statement instead of clubbing it with other actions. Unless, it needs to apply to all other R53 actions too?magnificent-soccer-44287
11/01/2023, 1:40 PM"Principal": {
"AWS": [
"arn:aws:iam::REDACTED:user/stagAdmin",
"arn:aws:iam::REDACTED:user/prodAdmin",
]
},
now ... when I do "aws sts get-caller-identity", they both match.
But when I'm logged into the prodAdmin user and select stack "production", I get:
pulumi:providers:aws (core-infra-cross-acc):
error: rpc error: code = Unknown desc = 2 errors occurred:
* unable to validate AWS credentials.
Details: [{0xc0016ca000 0xc0037432f0}]
Make sure you have set your AWS region, e.g. `pulumi config set aws:region us-west-2`
Which is related to this:
const sharedAccountProvider = new aws.Provider(pre('cross-acc'), {
assumeRole: sharedRoleArn.apply(roleArn => {
console.dir(`roleARN ${roleArn}`)
return {
roleArn: roleArn,
sessionName: pre('cross-acc-session')}
}),
});
This code works on the staging stack/acc but not prod stack/acc.
Does pulumi have any special protections or treatments for stacks named "production" ?magnificent-soccer-44287
11/01/2023, 1:42 PMmagnificent-soccer-44287
11/01/2023, 1:52 PM