green-bird-4706
10/07/2022, 2:33 AMPowerUserAccess
with saml2aws
to the test
account and Pulumi seems to be ok pick up the credentials from the ~/.aws/credentials
file and create resources. But I cannot create IAM policies with this role due to the policies on the role.
We have another account - control
that does our deployments for us. If I login to it with saml2aws
and modify that stacks pulumi.dev.yaml
file to have this:
config:
aws:assumeRole:
roleArn: arn:aws:iam::<<test acc id>>:role/ExternalDeployer
aws:region: ap-southeast-2
prima-data-ingestion:vpcId:
secure: <<VPC ID>>
When I pulumi up
I get:
error: Error: invocation of aws:kms/getKey:getKey returned an error: unable to validate AWS credentials. Make sure you have:
• Set your AWS region, e.g. `pulumi config set aws:region us-west-2`
• Configured your AWS credentials as per <https://pulumi.io/install/aws.html>
You can also set these via cli using `aws configure`.
at Object.callback (/home/rhys/projects/pulumi/deploy/node_modules/@pulumi/runtime/invoke.ts:159:33)
at Object.onReceiveStatus (/home/rhys/projects/pulumi/deploy/node_modules/@grpc/grpc-js/src/client.ts:338:26)
at Object.onReceiveStatus (/home/rhys/projects/pulumi/deploy/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
at Object.onReceiveStatus (/home/rhys/projects/pulumi/deploy/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
at /home/rhys/projects/pulumi/deploy/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
at processTicksAndRejections (internal/process/task_queues.js:77:11)
If I run aws configure
and set the Access Key ID
and Secret Access Key
, set the correct region
and leave the output format as None
it doesn't make any difference. I have also tried to put this information and the token
into ~/.aws/credentials
and it still has the same issue? How do I get Pulumi to use the role for Deployments?
In Terraform it was as simple as adding this block to the AWS provider:
assume_role {
role_arn = "arn:aws:iam::<<test acc id>>:role/ExternalDeployer"
}
(and I use actual values <<test acc id>>
- just not going to put them on Slack just fyi) Thanks in advance.Pulumi.<<stack>>.yaml
I needed to skip credentials validation so the config looks like this:
config:
aws:assumeRole:
roleArn: arn:aws:iam::<<Account_id>>:role/RoleName
aws:skipCredentialsValidation: true
great-sunset-355
10/11/2022, 1:23 PM