i have a pulumi file that does some iam work, assu...
# aws
i have a pulumi file that does some iam work, assumes a role, and deploys to eks. I run it locally with pulumi up. now I'm trying to deploy it with a Github Action, and I'm creating an iam user for it, but I don't seem to have the right permissions when I run it. given a pulumi file, is there an easy way to see what iam permissions it requires?
If you have it working in one place, you could use IAM Access Adviser (AWS IAM console, User and Role pages) to see what permissions were used by the working user/role.
did not know about that tool - thanks
Note that if you're created IAM roles and policies and then assuming that role, you can't do that in the same Pulumi project. It would work if the role already exists (i.e. you'd run the project before), but it would fail when deploying the resources for the first time. You should two projects for this scenario.
That is:
pulumi up
might work, but
pulumi destroy ; pulumi up
would fail.