https://pulumi.com logo
Join SlackCommunities
Powered by
This message was deleted.
# aws
s
This message was deleted.
r
I looked into this some more. I allowed the jump account's id and enabled the refresh option of the preview command. It looks like CloudControl requests are done with 
jump-role
(and they target the jump account):
Copy code
error: Preview failed: operation error CloudControl: GetResource, https response error StatusCode: 400, RequestID: <snip>, api error AccessDeniedException: User: arn:aws:sts::<bastion-account-id>:assumed-role/jump-role/GitHubActions is not authorized to perform: cloudformation:GetResource on resource: arn:aws:cloudformation:eu-central-1:<bastion-account-id>:resource/* because no identity-based policy allows the cloudformation:GetResource action
Max verbosity + debug logs don't contain anything relevant.
I also tried setting 
roleArn
to the ARN of the correct role, but it had no effect even though CloudControl requests are supposed to use it. I'll probably create a bug report tomorrow because this doesn't make the least bit of sense to me 😄
> And that clearly happens, because I got an error message when I forgot to add assume role permissions to 
jump-role
. Actually, this came from some debugging code I forgot about. I looked into it, and I don't think Pulumi even tries to assume the role. I can work around this whole thing by assuming the roles externally and marshaling the credentials to the Pulumi programs (AWS SDK's standard env variables aren't enough because I need multiple providers with different credentials in one project). However, I'm going to submit a bug report anyway.
87 Views
Open in Slack
PreviousNext
Powered by