https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# aws
s
This message was deleted.
b
how are you doing this, via a provider?
i
I use https://github.com/linaro-its/aws2-wrap to run Pulumi from the cli while logged in via AWS SSO
g
@billowy-army-68599 yes, using a 
ProviderResource
in 
opts
b
can you share how you're configuring it?
g
Copy code
assume_role_policy_document = aws.iam.get_policy_document(
    statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["sts:AssumeRole"],
            effect="Allow",
            principals=[
                aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                    identifiers=["arn:aws:iam::{account_id}:saml-provider/AWSSSO_{redacted}_DO_NOT_DELETE"],
                    type="Federated",
                )
            ],
            resources=[],
            sid="AmazonSAMLUserCanAssumeRole",
        )
    ]
)

opal_role = aws.iam.Role(
    resource_name=nomen.resource_name("role"),
    assume_role_policy=assume_role_policy_document.json,
    description=nomen.description("Execute systems."),
    max_session_duration=60 * 60,
    name=nomen.resource_name("role"),
    path=nomen.path(),
    tags=nomen.tags(),
)
The SSO was set up by Control Tower -- LMK if you need any specifics there
nomen
is an internal naming library instance that you can disregard
The `ProviderResource`:
Copy code
pulumi.ProviderResource(
        pkg="aws",
        name=nomen.resource_name('provider'),
        props={
            "profile": STACK_NAME,
            "assume_role": aws.ProviderAssumeRoleArgs(
                policy=A_POLICY,
                role_arn=opal_role.arn,
                session_name=nomen.resource_name('session'),
            ),
        },
)
b
I could be missing something, but it seems you're assuming role into that sso role from some credentials on your machine, is that right? you have a profile configured etc
1
I think you need to get some temporary creds for your profiel
1
i
aws2-wrap gets those temporary creds
b
yeah there's also 
aws-vault
and I wrote a little thing to do it too: https://github.com/jaxxstorm/aws-sso-creds
g
Yes, using the AWS CLI v1 creds generated via the AWS SSO page. Those are working as expected.
I don't think the credentials are the issue because with these creds pulumi successfully executes. The thing not working is assuming the role defined above. I'm looking at 
principals
as the culprit.
I'll give 
aws-sso-creds
and 
aws2-wrap
each a shot and report back.
i
to clarify, i use 
aws2-okta
to run Pulumi using a profile that has sufficient privileges to do what I want, and have Pulumi assume a role if necessary that was previously created as a normal IAM role
👍 1
g
I tried 
aws-sso-creds
and 
aws2-wrap
and chose to go with 
aws2-wrap
because it seems to align better with my workflow. I'm getting an error that looks like this:
Copy code
aws2-wrap pulumi up --yes

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::{account id}:assumed-role/AWSReservedSSO_AWSAdministratorAccess_{randomized}/chaueter@valohealth.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{account id}:role/chaueter-admin-role

Failed to assume-role arn:aws:iam::{account id}:role/chaueter-admin-role
This is surprising because I've updated the 
chaueter-admin-role
with the following trust relationship policy:
Copy code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:sts::{account id}:assumed-role/AWSReservedSSO_AWSAdministratorAccess_{random}/chaueter@valohealth.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Am I doing something wrong here? Any advice would be appreciated.
I'm using this AWS profile:
Copy code
[profile {profile name}]
region = us-west-2
role_arn = arn:aws:iam::{account id}:role/chaueter-admin-role
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}
Open in Slack
PreviousNext
Powered by