gifted-vase-28337
10/30/2020, 5:41 PMarn:aws:iam::{account ID}:saml-provider/AWSSSO_{redacted}_DO_NOT_DELETE
. With that as the role's assume_role policy principal
(with type Federated
), the role assumption fails with
* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
Should I be doing this differently?billowy-army-68599
10/30/2020, 6:16 PMimportant-appointment-55126
10/30/2020, 6:19 PMgifted-vase-28337
10/30/2020, 6:58 PMProviderResource
in opts
billowy-army-68599
10/30/2020, 6:58 PMgifted-vase-28337
10/30/2020, 7:09 PMassume_role_policy_document = aws.iam.get_policy_document(
statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["sts:AssumeRole"],
effect="Allow",
principals=[
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
identifiers=["arn:aws:iam::{account_id}:saml-provider/AWSSSO_{redacted}_DO_NOT_DELETE"],
type="Federated",
)
],
resources=[],
sid="AmazonSAMLUserCanAssumeRole",
)
]
)
opal_role = aws.iam.Role(
resource_name=nomen.resource_name("role"),
assume_role_policy=assume_role_policy_document.json,
description=nomen.description("Execute systems."),
max_session_duration=60 * 60,
name=nomen.resource_name("role"),
path=nomen.path(),
tags=nomen.tags(),
)
nomen
is an internal naming library instance that you can disregardpulumi.ProviderResource(
pkg="aws",
name=nomen.resource_name('provider'),
props={
"profile": STACK_NAME,
"assume_role": aws.ProviderAssumeRoleArgs(
policy=A_POLICY,
role_arn=opal_role.arn,
session_name=nomen.resource_name('session'),
),
},
)
billowy-army-68599
10/30/2020, 8:00 PMimportant-appointment-55126
10/30/2020, 8:13 PMbillowy-army-68599
10/30/2020, 8:22 PMaws-vault
and I wrote a little thing to do it too: https://github.com/jaxxstorm/aws-sso-credsgifted-vase-28337
10/30/2020, 9:13 PMprincipals
as the culprit.aws-sso-creds
and aws2-wrap
each a shot and report back.important-appointment-55126
10/30/2020, 9:47 PMaws2-okta
to run Pulumi using a profile that has sufficient privileges to do what I want, and have Pulumi assume a role if necessary that was previously created as a normal IAM rolegifted-vase-28337
11/06/2020, 1:12 AMaws-sso-creds
and aws2-wrap
and chose to go with aws2-wrap
because it seems to align better with my workflow.
I'm getting an error that looks like this:
aws2-wrap pulumi up --yes
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::{account id}:assumed-role/AWSReservedSSO_AWSAdministratorAccess_{randomized}/chaueter@valohealth.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{account id}:role/chaueter-admin-role
Failed to assume-role arn:aws:iam::{account id}:role/chaueter-admin-role
This is surprising because I've updated the chaueter-admin-role
with the following trust relationship policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::{account id}:assumed-role/AWSReservedSSO_AWSAdministratorAccess_{random}/chaueter@valohealth.com"
},
"Action": "sts:AssumeRole"
}
]
}
[profile {profile name}]
region = us-west-2
role_arn = arn:aws:iam::{account id}:role/chaueter-admin-role
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}