https://pulumi.com logo
#aws
Title
# aws
c

clever-byte-21551

09/16/2020, 8:07 AM
is it possible to have an aws.provider that uses another aws.provider? I need to have an aws.provider that is the result of two assume roles: assume role X -> X assumes role Y Is there a way to do this? passing pulumi.Provider to another provider doesn’t seems to do anything
l

little-cartoon-10569

09/16/2020, 9:15 PM
Is that possible even in AWS? If you try to assume a role, doesn't it use your actual login to determine whether or no you're allowed to?
I think you can create a provider from any set of credentials though. You wouldn't be assuming, you'd be logged in in a different session, as it were.
c

clever-byte-21551

09/22/2020, 12:40 PM
first - it’s possible to do multiple assumes as long as the assumed role has permissions for it. Second - the way i solved was that i used the AWS CLI to do the multiple assumes and passed the credentials to pulumi when I created the provider
a

acoustic-leather-88378

10/08/2020, 2:32 PM
@clever-byte-21551 I have a similar use case, where I want to create a role (with an already assumed role), grant policies and then assume to that new role to create some other stuff, all within the same Pulumi program (ideally). If possible, could you share more details on how you achieved this?
c

clever-byte-21551

10/08/2020, 2:39 PM
@acoustic-leather-88378 I just used the aws sdk to do the multiple assumes and saved the assumed credentials to a file in the format:
Copy code
[default]
aws_access_key_id = %s
aws_secret_access_key = %s
aws_session_token = %s
In the pulumi provider I supplied it with the path to the file:
Copy code
p, err := pulumiaws.NewProvider(ctx, "assumedRole", &pulumiaws.ProviderArgs{
   SharedCredentialsFile: pulumi.String(b.awsCredsFilePath),
   Region:                pulumi.String(b.Region),
})
The reason for that is to avoid saving to the state the ephermal credentials (they expire after an hour) the only that is saved to the state is the path to the file which I make sure exists before running the stack.
a

acoustic-leather-88378

10/08/2020, 2:40 PM
Thanks @clever-byte-21551. I was looking at other similar solutions around creating multiple providers but your point around state and ephemeral creds makes sense 👍
Your solution might not work for my use case though, since I'd like to create the role and use it (assume role) directly after that in the same stack
c

clever-byte-21551

10/08/2020, 2:50 PM
you might need to split it to a different stack in order for this to work with my solution
👍 1