Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
b
busy-magazine-48939
07/29/2020, 8:32 AMHey there, is there any example on how to deal with multiple aws accounts and multiple user identities?
k
kind-mechanic-53546
07/29/2020, 8:34 AMpersonally i separate this out of pulumi and use aws-vault
e.g.
aws-vault exec profile_name -- pulumi up:woohoo: 1
generally I wrap this into a script, and then just do npm run up
b
busy-magazine-48939
07/29/2020, 8:47 AMI didn’t come across
aws-vaultb
bright-policeman-55860
07/29/2020, 10:09 AM@busy-magazine-48939 This might interest you, it's a draft from a still unpublished blog post of mine: https://gist.github.com/Sodki/95b04ee9f4f44ed81de23b0cff3a4685
❤️ 1
q
quiet-leather-94755
07/30/2020, 5:49 AMI'm not sure if it's what you're looking for, @busy-magazine-48939, but we have different AWS accounts for eg. dev / test / prod environments, and I simply handle that so far by having each environment be a stack, with the following contents of the
Pulumi.<stack>.yamlconfig:
aws:profile: OUR_TEST_ENV_PROFILE
aws:region: THE_REGION~/.aws/company-dept-envTo be clear, my dev / test / prod profiles use my own credentials for each of the accounts, etc.
b
busy-magazine-48939
07/30/2020, 6:01 AM@quiet-leather-94755, that’s actually what I’ve been doing so far myself. However, now I’m thinking to get rid of multiple “pulumi” IAM users that spread across multiple AWS Accounts in favour of IAM roles. The idea now is to centralise identities in a single AWS Account.
q
quiet-leather-94755
07/30/2020, 6:02 AMAhh ok.. yeah, we've been considering that too, but with a small team of 2-3 persons needing account access, it's not been painful enough to care about yet 😂
But does that really change anything? I thought you could set up assume role config for the profile instead, and just "keep going" as usual.
b
busy-magazine-48939
07/30/2020, 6:04 AMI think in my case I’ve more AWS Accounts than people accessing them, so to me it seems reasonable to make it a little bit more DRY and stop creating “pulumi-user” every time there is a new AWS Account.
💯 1
q
quiet-leather-94755
07/30/2020, 6:05 AMYeah, we just have a static set of 4 accounts.. one of which is "deprecated" and we're migrating away from, and another (dev) that's barely used.
b
busy-magazine-48939
07/30/2020, 6:06 AMBut does that really change anything? I thought you could set up assume role config for the profile instead, and just “keep going” as usual.I’m not sure yet, that’s why asking here for some real-world examples, curious to see how people tackle this problem. I think Henrique shared a really good material, I’m looking forward to read the final post.
q
quiet-leather-94755
07/30/2020, 6:07 AMYeah, I had a quick look too -- great to see stuff like this to get ideas for future development 🙂