https://pulumi.com logo
#general
Title
# general
i

icy-controller-6092

01/12/2024, 2:33 AM
does anyone have thoughts on this? I imagine this is a pretty standard concern for adding pulumi to CI/CD: https://github.com/pulumi/pulumi/discussions/15073
l

lemon-agent-27707

01/12/2024, 7:58 PM
Have you taken a look at Pulumi Deployments (#pulumi-deployments) and ESC (#esc) ? Both of them have support for generating single use short term credentials per deployment that can be scoped down to a specific AWS role.
i

icy-controller-6092

01/12/2024, 9:55 PM
I think the devil in the detail here is defining the role policy, rather than assuming the role
e.g. I can't see in either of those solutions mentioned where it maps a resource (for example
aws.eks.Addon
) to a set of required permissions to provision for the AWS role
c

cuddly-computer-18851

01/13/2024, 12:31 AM
A common pattern is to deploy in dev - use IAM Analyzer / Cloudtrail /
iamlive
to show the actual Actions and resources, generate Policy from that. It is a little surprising in the TF ecosystem there's not a better static analysis way to do this, but AWS makes it difficult.
i

icy-controller-6092

01/13/2024, 12:46 AM
That would be a nice pattern to be able to automate, and even have the providers publish these themselves Often I find I've provisioned the right permissions to create/update and then when I go to replace or delete I get a bunch of permission errors
f

full-boots-69133

01/15/2024, 1:02 AM
IAM Analyzer / Cloudtrail is also my recommendation. AWS does make it difficult. S3 in particular is really bad, when you create an S3 bucket you need many other permissions
2 Views