Hi I m setting up OIDC In which AWS account do I set up the Pulumi Community #esc

Hi, I'm setting up OIDC. In which AWS account do I...

gifted-gigabyte-53859

11/14/2023, 2:54 AM

Hi, I'm setting up OIDC. In which AWS account do I set up the provider ? e.g. I have multiple accounts, such as $project-$env i.e. project1-develop, project1-staging, etc. These are usually managed centrally by controltower/aws identity center. Do I set up the identity provider in each account? or the central account?

lemon-agent-27707

11/14/2023, 1:48 PM

I believe you need to configure the identity provider in each account. Have you taken a look at our docs on this? • blog • AWS OIDC docs • python example

gifted-gigabyte-53859

11/15/2023, 5:13 AM

Thanks Evan, yes I was following that guide. When it got to the part about adding the provider in AWS IAM, that's when I became unsure. I'll do it once per account

lemon-agent-27707

11/16/2023, 12:57 AM

Great, let me know if you hit any roadblocks. I'm curious, what drew you to ESC and what are you hoping to use it for?

gifted-gigabyte-53859

11/16/2023, 3:34 AM

The two main things were • The inconvenience of having to paste my aws temporary credentials in my

~/.aws/credentials

file daily. And sharing account access between colleagues. • Also, the issue of safely and securely granting pulumi access to the account in CI/CD. I don't like creating a service IAM account and creating a long-lived secret key. I'm hoping that using ESC, I can use Pulumi in CI/CD with temporary credentials. As a side benefit, I'm hoping to use ESC with the 'esc run' feature to quickly switch between environments, and avoid needing to save multiple credentials for multiple AWS accounts on my workstation. but still getting my head around how to do that.

gifted-gigabyte-53859

12/01/2023, 4:02 AM

@lemon-agent-27707 I got it working with help from @plain-diamond-92898, working great. Removes the need for saving credentials locally, and specifying an aws profile in the stack config. Also lets me use commands like this:

Copy code

james.tuson@MAC app % esc run shopify-dev -- aws s3 ls
2023-11-30 11:07:19 apiapp-xx
2023-11-30 14:13:55 apiapp-xx
2023-11-17 12:30:50 apifrontend-xx
2023-11-16 12:35:47 frontend-app-xxx

Really cool tool One thing we'll have to work out is how to properly delegate access to and in pulumi now since being a member of our Pulumi org basically gives open access to any AWS account we have...

lemon-agent-27707

12/01/2023, 5:32 AM

ESC does integrate with pulumi teams and the rest of the RBAC model, that should help here.

Open in Slack

Previous Next