Hi, I'm setting up OIDC. In which AWS account do I...
# esc
Hi, I'm setting up OIDC. In which AWS account do I set up the provider ? e.g. I have multiple accounts, such as $project-$env i.e. project1-develop, project1-staging, etc. These are usually managed centrally by controltower/aws identity center. Do I set up the identity provider in each account? or the central account?
I believe you need to configure the identity provider in each account. Have you taken a look at our docs on this? • blogAWS OIDC docspython example
Thanks Evan, yes I was following that guide. When it got to the part about adding the provider in AWS IAM, that's when I became unsure. I'll do it once per account
Great, let me know if you hit any roadblocks. I'm curious, what drew you to ESC and what are you hoping to use it for?
The two main things were • The inconvenience of having to paste my aws temporary credentials in my
file daily. And sharing account access between colleagues. • Also, the issue of safely and securely granting pulumi access to the account in CI/CD. I don't like creating a service IAM account and creating a long-lived secret key. I'm hoping that using ESC, I can use Pulumi in CI/CD with temporary credentials. As a side benefit, I'm hoping to use ESC with the 'esc run' feature to quickly switch between environments, and avoid needing to save multiple credentials for multiple AWS accounts on my workstation. but still getting my head around how to do that.
@lemon-agent-27707 I got it working with help from @plain-diamond-92898, working great. Removes the need for saving credentials locally, and specifying an aws profile in the stack config. Also lets me use commands like this:
Copy code
james.tuson@MAC app % esc run shopify-dev -- aws s3 ls
2023-11-30 11:07:19 apiapp-xx
2023-11-30 14:13:55 apiapp-xx
2023-11-17 12:30:50 apifrontend-xx
2023-11-16 12:35:47 frontend-app-xxx
Really cool tool One thing we'll have to work out is how to properly delegate access to and in pulumi now since being a member of our Pulumi org basically gives open access to any AWS account we have...
ESC does integrate with pulumi teams and the rest of the RBAC model, that should help here.