I was wondering if there s been movement on this item <https Pulumi Community #esc

I was wondering if there’s been movement on this i...

brash-gigabyte-81569

04/16/2024, 7:20 PM

I was wondering if there’s been movement on this item https://github.com/pulumi/pulumi/issues/14509. TLDR: Using OIDC from ESC within IaC you are currently unable to lock down roles to specific environments as the subject is “wrong”

brash-gigabyte-81569

04/16/2024, 7:44 PM

Removed OIDC from my environments for now

red-match-15116

04/16/2024, 9:41 PM

We've made some progress here...

red-match-15116

04/16/2024, 9:43 PM

You can customize the OIDC token subject claim now https://www.pulumi.com/docs/pulumi-cloud/oidc/aws/#subject-customization

plain-diamond-92898

04/16/2024, 9:56 PM

As Komal mentioned, we recommend using Subject Customization. We created that option as an alternate solution. a. Instead of the default subject if you use

pulumi.user.login

and/or

pulumi.organization.login

subject attributes, you can ensure the subject claims are consistent across Pulumi IaC operations (

pulumi up/refresh/destroy

) and esc commands (like

esc open

esc run

). Example subject claims based on your definition: i.

pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}

ii.

pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}:pulumi.user.login:{USER_LOGIN}

b. If you use the

currentEnvironment.name

and

rootEnvironment.name

subject attributes with Pulumi IaC Operations, you will still have the subject as

pulumi:environments:org:contoso:env:<yaml>

. However, for esc commands, you will have the subject as per your definition: (For example:

pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}:currentEnvironment.name:<CURRENT_ENVIRONMENT_NAME>

)

plain-diamond-92898

04/16/2024, 9:58 PM

Although to your point, locking roles to specific environment names when using ESC with IaC does get challenging.

brash-gigabyte-81569

04/16/2024, 9:58 PM

I think there is still a tricky issue if I understand correctly. As these are both user controlled fields

red-match-15116

04/16/2024, 9:59 PM

I think there is still a tricky issue if I understand correctly. As these are both user controlled fields

They are not, these values are provided by the environment.

brash-gigabyte-81569

04/16/2024, 10:00 PM

User controlled as in a member in the org can create a new environment setting the role and the name to use

brash-gigabyte-81569

04/16/2024, 10:01 PM

And if I have an admin role locked to an env of say admin-env a user can create another environment and set those same strings and assume that role

brash-gigabyte-81569

04/16/2024, 10:03 PM

Now I could make those strings near impossible to guess so I suppose I could leverage it that way

plain-diamond-92898

04/16/2024, 10:05 PM

You can't set those strings in ESC. These are pre-defined keys that will be evaluated when opening the environment.

red-match-15116

04/16/2024, 10:06 PM

I think(?) Matt means the strings for the admin role arn

brash-gigabyte-81569

04/16/2024, 10:07 PM

Oh I see it isn’t an override it is a list of keys to append

brash-gigabyte-81569

04/16/2024, 10:09 PM

Ok I think I have the same issue with trying to lock it down though since it will be <yaml> regardless of the the env it is

plain-diamond-92898

04/16/2024, 10:10 PM

Ok I think I have the same issue with trying to lock it down though since it will be <yaml> regardless of the the env it is

Yeah, if you are thinking of locking down using env name when using IaC, then it gets tricky.

brash-gigabyte-81569

04/16/2024, 10:10 PM

Yep

brash-gigabyte-81569

04/16/2024, 10:14 PM

Use case that I was attempting was multiple envs that are oidc connections to a few different accounts, create multiple providers (one for each) and then perform magic in a deployment. Not a big deal, I will use the oidc on the deployment for ones where it’s one to one

brash-gigabyte-81569

04/16/2024, 10:16 PM

And if I really really want to I could use the oidc and do some assume role magic in a deployment

red-match-15116

04/16/2024, 10:16 PM

Definitely appreciate you raising this, it's an ongoing conversation on how best to solve this going forward.

able-market-62580

04/17/2024, 12:11 PM

Hi @brash-gigabyte-81569 I got late to the conversation. The problem with that is that by default it lacks of a root env (the one in IaC importing the first env) to define the subject. You can customize the subject using the

currentEnvironment.name

and

rootEnvironment.name

subject attributes which will resolve to a proper name when used from a stored environment: • current env is the name of the environment using the provider • root env is the name of the "rootest" environment (the one being imported from Iac) Using the example of the issue, you can create a new

prod_keys

environment

Copy code

values:
  azure:
    login:
      fn::open::azure-login:
        subjectAttributes:
          - currentEnvironment.name
        clientId: your-client-id
        tenantId: you-tenant-id
        subscriptionId: your-subscription-id # without the `/subscriptions/` prefix
        oidc: true

able-market-62580

04/17/2024, 12:13 PM

and from the IaC env

Copy code

imports:
- prod_keys

able-market-62580

04/17/2024, 12:16 PM

The subject in that case should be

pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}:currentEnvironment.name:prod_keys

able-market-62580

04/17/2024, 12:18 PM

(you can then use RBAC to limit who can open that imported environment)

Open in Slack

Previous Next