https://pulumi.com logo
Join Slack
Powered by
What is the best practice in authenticate Pulumi ...
# pulumi-cloud
d
What is the best practice in authenticate Pulumi Cloud with AWS without using 
AWS_ACCESS_KEY_ID
and 
AWS_SECRET_ACCESS_KEY
?
m
d
@mammoth-electrician-64525 i see that its for Pulumi Deployments case or if i use with Pulumi ESC , i deploy with Automation API ....
m
@dry-vegetable-10976 OIDC providers are connected using Pulumi ESC; you can consume this integration using CLI, Pulumi Deployments, or Automation API.
"Pulumi supports OpenID Connect (OIDC) integration across various services. OIDC enables secure interactions between Pulumi services and cloud providers by leveraging signed, short-lived tokens issued by the Pulumi Cloud. This mechanism enhances security by eliminating the necessity for hardcoded cloud provider credentials and facilitates the exchange of these tokens for short-term credentials from your cloud provider." Reference: https://www.pulumi.com/docs/pulumi-cloud/access-management/oidc/provider/
d
@mammoth-electrician-64525 but i cannot use with Pulumi ESC (my company....) so i not have other options?
m
Strangely, if you want to use Pulumi Cloud, the standard method you are looking for is Pulumi ESC. I don't know why you want to use Pulumi Cloud and cannot use Pulumi ESC. I can't see other options.
Note: Pulumi ESC is included in the Free Plan and is supported by the self-hosted option.
d
Ok, if I can use Pulumi ESC, how do I configure it with the Automation API? I set Pulumi ESC to use OIDC in the UI, but how do I configure it in code? What do I need to change for it to work?
m
@dry-vegetable-10976 Pulumi ESC is integrated with your Stack. To consume it you need to add to your Stack configuration like this example:
Copy code
environment:
  - your-pulumi-esc-project/your-pulumi-esc-oidc-provider
l
OIDC only covers some situations, it's not particularly suitable for work kicked off outside of a pipeline. SSO handles this better. jaxxstorm wrote a good post on this a while back; there's probably 4 new ways to do it now, but everything in here is still valid: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way
m
@little-cartoon-10569 Sorry, but the OIDC provider is working out of the pipeline for us. Also, in checking this article, I didn't find any mention of Pulumi. As you mentioned, can you share how to implement SSO rather than the OIDC provider for Pulumi use cases?
@little-cartoon-10569 also, OIDC supports SSO as you can see in my Pulumi ESC below:
Copy code
values:
  SSOroleArn: arn:aws:iam::XXXXX:role/aws-reserved/sso.amazonaws.com/region/AWSReservedSSO_AWSAdministratorAccess_XXXXX
  aws:
    region: region
    roleArn: arn:aws:iam::XXXXX:role/pulumi-esc-oidc-role
    login:
      fn::open::aws-login:
        oidc:
          duration: 1h
          roleArn: ${aws.roleArn}
          sessionName: pulumi-environments-session
  environmentVariables:
    AWS_ACCESS_KEY_ID: ${aws.login.accessKeyId}
    AWS_SECRET_ACCESS_KEY: ${aws.login.secretAccessKey}
    AWS_SESSION_TOKEN: ${aws.login.sessionToken}
    AWS_REGION: ${aws.region}
  pulumiConfig:
    project:environment: aws-dev-cluster
    aws:region: ${aws.region}
    roleArn: ${aws.roleArn}
    SSOroleArn: ${SSOroleArn}
l
Set up AWS SSO in the normal way, use 
aws sso login
to log in, then run Pulumi. It gets its credentials from the AWS session.
This applies only to non-CI type use. Use OIDC for CI use.
The usage is not specific to Pulumi. It allows the AWS SDK, which Pulumi leverages, to access AWS via short-lived credentials.
m
Sorry but I'm guessing that you are wrong. I'm using a OIDC provider with AWS SSO based on the AWS Control Tower into Pulumi ESC. This implementation above, allows us to run out or in pipelines.
I have it running into Gitlab CI/CD/GitHub Actions, CLI and Automation API.
Basically, we implemented an OIDC provider using Pulumi ESC adding support to the SSO offer by AWS Control Tower. Exactly what you suggested 😉
Do not need to run:
Copy code
aws SSO login
We implemented it because some engineers need access to Pulumi but don't have access to AWS. Also, who has access to AWS no need to login, Pulumi ESC does it for us. No manual steps here.
l
Yes, ESC changes things, it handles a pile of the aud and sub complexities that you want to avoid on the CLI. I wasn't talking about all cases. This particular advice is for just some situations. In this case, it's covering basic interactive use, that isn't supported by nice API wrappers like GitHub Actions or Pulumi ESC.
OP's question did not mention ESC
In fact, she later says that ESC is out of the question.
m
I'm a fan of Pulumi ESC, this solution makes our life so much easier, normally I promote it everywhere 🤣
l
I am also a fan of it. But it's another app which may mean another set of hurdles to get it adopted in a company. And it also means more cost. I cannot use it for many of my clients because they won't be convinced of its value.
m
👍
d
@little-cartoon-10569 I need to deploy with AWS Code build so sso is not option, does i have other way authenticate Pulumi Cloud with AWS without Pulumi ESC? How?
l
OIDC is definitely the option then. If you can't get that working then you'll probably have to make to with long-lived tokens. I think Codebuild supports OIDC? Let me check.
Actually, codebuild supports running under a regular IAM role iirc.. I think it should be easy.
d
ho no its not work with code build role because i use with pulumi cloud , pulumi cloud need to authenticate with AWS I prefer without Pulumi ESC but i not know how i use oidc without esc
l
You say "I use with pulumi cloud". Does that mean you're using the service in the "ordinary" way, storing your state there? If that's all, then that's not relevant to how you authenticated with AWS for depoying. If you mean you're using Pulumi Deployments, then you can definitely use OIDC, it's built into Pulumi Deployments.
If you're only using Pulumi Cloud to store your state, then you can rest assured that Pulumi does not need to authenticate with AWS. Only the machine that you run 
pulumi up
from needs to do that.
d
but i get error from pulumi :
Copy code
Command failed with exit code 255: pulumi up --yes --skip-preview --message Executed from codebuild --refresh --diff --parallel 1 --client=127.0.0.1:33929 --exec-kind auto.inline --stack platform-iac-bastion-role --non-interactive
621
error: pulumi:providers:aws resource 'default_6_56_0' has a problem: No valid credential sources found.
so what you mean Pulumi does not need to authenticate with AWS? Code Build machine have full access its not case using Pulumi Deployments
l
In that case, the machine that you're running from is not having the correct AWS creds / tokens put into its environment. You may be able to pull the variables out of the instance metadata? Or maybe there's an AWS cli command to do that?
The credentials are available, they're just not in the right place for the AWS SDK to find them.
You're using the Pulumi default AWS provider, which checks all the normal places: AWS_ACCESS_TOKEN_ID, ~/.aws/credentials, etc.
You just need to get those values out of wherever they are and put them in the "standard" place(s).
2 Views
Open in Slack
PreviousNext
Powered by