magnificent-soccer-44287
11/01/2023, 11:52 AMconst nsRecord = new aws.route53.Record(pre('dns-record'), rootZoneId.apply(rootZoneId => { return {
zoneId: rootZoneId,
name: `${subDomainName}.${tldName}`,
type: "NS",
ttl: 86400,
records: subDomainZone.nameServers,
}}) as unknown as aws.route53.RecordArgs, { provider: sharedAccountProvider })
The DNS record is actually created, but Pulumi shows:
* creating urn:pulumi:REDACTED: 1 error occurred:
* waiting for Route 53 Record (REDACTED) create: AccessDenied: User: REDACTED/core-infra-cross-acc-session is not authorized to perform: route53:GetChange on resource: arn:aws:route53:::change/REDACTED because no identity-based policy allows the route53:GetChange action
status code: 403, request id: 86b4b8f0-5e7a-445d-a012-3c689e063dbf
Even stranger, if I delete that record manually, pulumi refresh, and attempt to re-create it.... it is recreated successfully but pulumi shows the same error. This appears to be reproducible.clever-sunset-76585
11/01/2023, 12:32 PMroute53:GetChange
action in the account where you are creating the records.magnificent-soccer-44287
11/01/2023, 12:39 PMclever-sunset-76585
11/01/2023, 12:42 PMmagnificent-soccer-44287
11/01/2023, 12:42 PMno identity-based policy allows the route53:GetChang
but the policy is "*" and used to be "route53:*"clever-sunset-76585
11/01/2023, 12:43 PMmagnificent-soccer-44287
11/01/2023, 12:44 PMGetChange on resource: arn:aws:route53:::change/C07579521RPEJQVAFENQO
clever-sunset-76585
11/01/2023, 12:46 PMmagnificent-soccer-44287
11/01/2023, 12:47 PMclever-sunset-76585
11/01/2023, 12:49 PMmagnificent-soccer-44287
11/01/2023, 12:50 PMconst allowedTargetArns = [
rootZone.arn,
"arn:aws:route53:::change/*"
]
const allowedActions = [
"route53:ChangeResourceRecordSets",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
]
clever-sunset-76585
11/01/2023, 12:52 PMchange
ARN format is specific to GetChange
yeah? If so, you could move that to a separate policy statement instead of clubbing it with other actions. Unless, it needs to apply to all other R53 actions too?magnificent-soccer-44287
11/01/2023, 1:40 PM"Principal": {
"AWS": [
"arn:aws:iam::REDACTED:user/stagAdmin",
"arn:aws:iam::REDACTED:user/prodAdmin",
]
},
now ... when I do "aws sts get-caller-identity", they both match.
But when I'm logged into the prodAdmin user and select stack "production", I get:
pulumi:providers:aws (core-infra-cross-acc):
error: rpc error: code = Unknown desc = 2 errors occurred:
* unable to validate AWS credentials.
Details: [{0xc0016ca000 0xc0037432f0}]
Make sure you have set your AWS region, e.g. `pulumi config set aws:region us-west-2`
Which is related to this:
const sharedAccountProvider = new aws.Provider(pre('cross-acc'), {
assumeRole: sharedRoleArn.apply(roleArn => {
console.dir(`roleARN ${roleArn}`)
return {
roleArn: roleArn,
sessionName: pre('cross-acc-session')}
}),
});
This code works on the staging stack/acc but not prod stack/acc.
Does pulumi have any special protections or treatments for stacks named "production" ?