https://pulumi.com logo
#aws
Title
# aws
b

busy-magazine-48939

07/29/2020, 8:32 AM
Hey there, is there any example on how to deal with multiple aws accounts and multiple user identities?
k

kind-mechanic-53546

07/29/2020, 8:34 AM
personally i separate this out of pulumi and use aws-vault
e.g.
aws-vault exec profile_name -- pulumi up
woohoo 1
generally I wrap this into a script, and then just do npm run up
b

busy-magazine-48939

07/29/2020, 8:47 AM
I didn’t come across
aws-vault
yet, thanks for sharing, definitely will look into it.
b

bright-policeman-55860

07/29/2020, 10:09 AM
@busy-magazine-48939 This might interest you, it's a draft from a still unpublished blog post of mine: https://gist.github.com/Sodki/95b04ee9f4f44ed81de23b0cff3a4685
❤️ 1
q

quiet-leather-94755

07/30/2020, 5:49 AM
I'm not sure if it's what you're looking for, @busy-magazine-48939, but we have different AWS accounts for eg. dev / test / prod environments, and I simply handle that so far by having each environment be a stack, with the following contents of the
Pulumi.<stack>.yaml
file:
Copy code
config:
  aws:profile: OUR_TEST_ENV_PROFILE
  aws:region: THE_REGION
..and then all of us have profiles in
~/.aws/
for each of our environments, named the same (using a
company-dept-env
pattern).
To be clear, my dev / test / prod profiles use my own credentials for each of the accounts, etc.
b

busy-magazine-48939

07/30/2020, 6:01 AM
@quiet-leather-94755, that’s actually what I’ve been doing so far myself. However, now I’m thinking to get rid of multiple “pulumi” IAM users that spread across multiple AWS Accounts in favour of IAM roles. The idea now is to centralise identities in a single AWS Account.
q

quiet-leather-94755

07/30/2020, 6:02 AM
Ahh ok.. yeah, we've been considering that too, but with a small team of 2-3 persons needing account access, it's not been painful enough to care about yet 😂
But does that really change anything? I thought you could set up assume role config for the profile instead, and just "keep going" as usual.
b

busy-magazine-48939

07/30/2020, 6:04 AM
I think in my case I’ve more AWS Accounts than people accessing them, so to me it seems reasonable to make it a little bit more DRY and stop creating “pulumi-user” every time there is a new AWS Account.
💯 1
q

quiet-leather-94755

07/30/2020, 6:05 AM
Yeah, we just have a static set of 4 accounts.. one of which is "deprecated" and we're migrating away from, and another (dev) that's barely used.
b

busy-magazine-48939

07/30/2020, 6:06 AM
But does that really change anything? I thought you could set up assume role config for the profile instead, and just “keep going” as usual.
I’m not sure yet, that’s why asking here for some real-world examples, curious to see how people tackle this problem. I think Henrique shared a really good material, I’m looking forward to read the final post.
q

quiet-leather-94755

07/30/2020, 6:07 AM
Yeah, I had a quick look too -- great to see stuff like this to get ideas for future development 🙂