is it possible to have an aws.provider that uses a...
# aws
is it possible to have an aws.provider that uses another aws.provider? I need to have an aws.provider that is the result of two assume roles: assume role X -> X assumes role Y Is there a way to do this? passing pulumi.Provider to another provider doesn’t seems to do anything
Is that possible even in AWS? If you try to assume a role, doesn't it use your actual login to determine whether or no you're allowed to?
I think you can create a provider from any set of credentials though. You wouldn't be assuming, you'd be logged in in a different session, as it were.
first - it’s possible to do multiple assumes as long as the assumed role has permissions for it. Second - the way i solved was that i used the AWS CLI to do the multiple assumes and passed the credentials to pulumi when I created the provider
@clever-byte-21551 I have a similar use case, where I want to create a role (with an already assumed role), grant policies and then assume to that new role to create some other stuff, all within the same Pulumi program (ideally). If possible, could you share more details on how you achieved this?
@acoustic-leather-88378 I just used the aws sdk to do the multiple assumes and saved the assumed credentials to a file in the format:
Copy code
aws_access_key_id = %s
aws_secret_access_key = %s
aws_session_token = %s
In the pulumi provider I supplied it with the path to the file:
Copy code
p, err := pulumiaws.NewProvider(ctx, "assumedRole", &pulumiaws.ProviderArgs{
   SharedCredentialsFile: pulumi.String(b.awsCredsFilePath),
   Region:                pulumi.String(b.Region),
The reason for that is to avoid saving to the state the ephermal credentials (they expire after an hour) the only that is saved to the state is the path to the file which I make sure exists before running the stack.
Thanks @clever-byte-21551. I was looking at other similar solutions around creating multiple providers but your point around state and ephemeral creds makes sense 👍
Your solution might not work for my use case though, since I'd like to create the role and use it (assume role) directly after that in the same stack
you might need to split it to a different stack in order for this to work with my solution
👍 1