https://pulumi.com logo
Title
g

gifted-vase-28337

10/30/2020, 5:41 PM
I want pulumi to assume a role to create some resources. We're using Amazon's SSO. The AWS-generated IAM Identity Provider looks like
arn:aws:iam::{account ID}:saml-provider/AWSSSO_{redacted}_DO_NOT_DELETE
. With that as the role's assume_role policy
principal
(with type
Federated
), the role assumption fails with
* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
Should I be doing this differently?
b

billowy-army-68599

10/30/2020, 6:16 PM
how are you doing this, via a provider?
i

important-appointment-55126

10/30/2020, 6:19 PM
I use https://github.com/linaro-its/aws2-wrap to run Pulumi from the cli while logged in via AWS SSO
g

gifted-vase-28337

10/30/2020, 6:58 PM
@billowy-army-68599 yes, using a
ProviderResource
in
opts
b

billowy-army-68599

10/30/2020, 6:58 PM
can you share how you're configuring it?
g

gifted-vase-28337

10/30/2020, 7:09 PM
assume_role_policy_document = aws.iam.get_policy_document(
    statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["sts:AssumeRole"],
            effect="Allow",
            principals=[
                aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                    identifiers=["arn:aws:iam::{account_id}:saml-provider/AWSSSO_{redacted}_DO_NOT_DELETE"],
                    type="Federated",
                )
            ],
            resources=[],
            sid="AmazonSAMLUserCanAssumeRole",
        )
    ]
)

opal_role = aws.iam.Role(
    resource_name=nomen.resource_name("role"),
    assume_role_policy=assume_role_policy_document.json,
    description=nomen.description("Execute systems."),
    max_session_duration=60 * 60,
    name=nomen.resource_name("role"),
    path=nomen.path(),
    tags=nomen.tags(),
)
The SSO was set up by Control Tower -- LMK if you need any specifics there
nomen
is an internal naming library instance that you can disregard
The `ProviderResource`:
pulumi.ProviderResource(
        pkg="aws",
        name=nomen.resource_name('provider'),
        props={
            "profile": STACK_NAME,
            "assume_role": aws.ProviderAssumeRoleArgs(
                policy=A_POLICY,
                role_arn=opal_role.arn,
                session_name=nomen.resource_name('session'),
            ),
        },
)
b

billowy-army-68599

10/30/2020, 8:00 PM
I could be missing something, but it seems you're assuming role into that sso role from some credentials on your machine, is that right? you have a profile configured etc
1
I think you need to get some temporary creds for your profiel
1
i

important-appointment-55126

10/30/2020, 8:13 PM
aws2-wrap gets those temporary creds
b

billowy-army-68599

10/30/2020, 8:22 PM
yeah there's also
aws-vault
and I wrote a little thing to do it too: https://github.com/jaxxstorm/aws-sso-creds
g

gifted-vase-28337

10/30/2020, 9:13 PM
Yes, using the AWS CLI v1 creds generated via the AWS SSO page. Those are working as expected.
I don't think the credentials are the issue because with these creds pulumi successfully executes. The thing not working is assuming the role defined above. I'm looking at
principals
as the culprit.
I'll give
aws-sso-creds
and
aws2-wrap
each a shot and report back.
i

important-appointment-55126

10/30/2020, 9:47 PM
to clarify, i use
aws2-okta
to run Pulumi using a profile that has sufficient privileges to do what I want, and have Pulumi assume a role if necessary that was previously created as a normal IAM role
👍 1
g

gifted-vase-28337

11/06/2020, 1:12 AM
I tried
aws-sso-creds
and
aws2-wrap
and chose to go with
aws2-wrap
because it seems to align better with my workflow. I'm getting an error that looks like this:
aws2-wrap pulumi up --yes

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::{account id}:assumed-role/AWSReservedSSO_AWSAdministratorAccess_{randomized}/chaueter@valohealth.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{account id}:role/chaueter-admin-role

Failed to assume-role arn:aws:iam::{account id}:role/chaueter-admin-role
This is surprising because I've updated the
chaueter-admin-role
with the following trust relationship policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:sts::{account id}:assumed-role/AWSReservedSSO_AWSAdministratorAccess_{random}/chaueter@valohealth.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Am I doing something wrong here? Any advice would be appreciated.
I'm using this AWS profile:
[profile {profile name}]
region = us-west-2
role_arn = arn:aws:iam::{account id}:role/chaueter-admin-role
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}