I want pulumi to assume a role to create some resources We r Pulumi Community #aws

I want pulumi to assume a role to create some reso...

gifted-vase-28337

10/30/2020, 5:41 PM

I want pulumi to assume a role to create some resources. We're using Amazon's SSO. The AWS-generated IAM Identity Provider looks like

arn:aws:iam::{account ID}:saml-provider/AWSSSO_{redacted}_DO_NOT_DELETE

. With that as the role's assume_role policy

principal

(with type

Federated

), the role assumption fails with

Copy code

* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

Should I be doing this differently?

billowy-army-68599

10/30/2020, 6:16 PM

how are you doing this, via a provider?

important-appointment-55126

10/30/2020, 6:19 PM

I use https://github.com/linaro-its/aws2-wrap to run Pulumi from the cli while logged in via AWS SSO

gifted-vase-28337

10/30/2020, 6:58 PM

@billowy-army-68599 yes, using a

ProviderResource

opts

billowy-army-68599

10/30/2020, 6:58 PM

can you share how you're configuring it?

gifted-vase-28337

10/30/2020, 7:09 PM

Copy code

assume_role_policy_document = aws.iam.get_policy_document(
    statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["sts:AssumeRole"],
            effect="Allow",
            principals=[
                aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                    identifiers=["arn:aws:iam::{account_id}:saml-provider/AWSSSO_{redacted}_DO_NOT_DELETE"],
                    type="Federated",
                )
            ],
            resources=[],
            sid="AmazonSAMLUserCanAssumeRole",
        )
    ]
)

opal_role = aws.iam.Role(
    resource_name=nomen.resource_name("role"),
    assume_role_policy=assume_role_policy_document.json,
    description=nomen.description("Execute systems."),
    max_session_duration=60 * 60,
    name=nomen.resource_name("role"),
    path=nomen.path(),
    tags=nomen.tags(),
)

gifted-vase-28337

10/30/2020, 7:10 PM

The SSO was set up by Control Tower -- LMK if you need any specifics there

gifted-vase-28337

10/30/2020, 7:11 PM

nomen

is an internal naming library instance that you can disregard

gifted-vase-28337

10/30/2020, 7:14 PM

The `ProviderResource`:

Copy code

pulumi.ProviderResource(
        pkg="aws",
        name=nomen.resource_name('provider'),
        props={
            "profile": STACK_NAME,
            "assume_role": aws.ProviderAssumeRoleArgs(
                policy=A_POLICY,
                role_arn=opal_role.arn,
                session_name=nomen.resource_name('session'),
            ),
        },
)

billowy-army-68599

10/30/2020, 8:00 PM

I could be missing something, but it seems you're assuming role into that sso role from some credentials on your machine, is that right? you have a profile configured etc

✅ 1

billowy-army-68599

10/30/2020, 8:00 PM

I think you need to get some temporary creds for your profiel

✅ 1

important-appointment-55126

10/30/2020, 8:13 PM

aws2-wrap gets those temporary creds

billowy-army-68599

10/30/2020, 8:22 PM

yeah there's also

aws-vault

and I wrote a little thing to do it too: https://github.com/jaxxstorm/aws-sso-creds

gifted-vase-28337

10/30/2020, 9:13 PM

Yes, using the AWS CLI v1 creds generated via the AWS SSO page. Those are working as expected.

gifted-vase-28337

10/30/2020, 9:17 PM

I don't think the credentials are the issue because with these creds pulumi successfully executes. The thing not working is assuming the role defined above. I'm looking at

principals

as the culprit.

gifted-vase-28337

10/30/2020, 9:21 PM

I'll give

aws-sso-creds

and

aws2-wrap

each a shot and report back.

important-appointment-55126

10/30/2020, 9:47 PM

to clarify, i use

aws2-okta

to run Pulumi using a profile that has sufficient privileges to do what I want, and have Pulumi assume a role if necessary that was previously created as a normal IAM role

👍 1

gifted-vase-28337

11/06/2020, 1:12 AM

I tried

aws-sso-creds

and

aws2-wrap

and chose to go with

aws2-wrap

because it seems to align better with my workflow. I'm getting an error that looks like this:

Copy code

aws2-wrap pulumi up --yes

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::{account id}:assumed-role/AWSReservedSSO_AWSAdministratorAccess_{randomized}/chaueter@valohealth.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{account id}:role/chaueter-admin-role

Failed to assume-role arn:aws:iam::{account id}:role/chaueter-admin-role

This is surprising because I've updated the

chaueter-admin-role

with the following trust relationship policy:

Copy code

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:sts::{account id}:assumed-role/AWSReservedSSO_AWSAdministratorAccess_{random}/chaueter@valohealth.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

gifted-vase-28337

11/06/2020, 1:14 AM

Am I doing something wrong here? Any advice would be appreciated.

gifted-vase-28337

11/06/2020, 1:36 AM

I'm using this AWS profile:

Copy code

[profile {profile name}]
region = us-west-2
role_arn = arn:aws:iam::{account id}:role/chaueter-admin-role
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}

gifted-vase-28337

11/09/2020, 9:06 AM

Bumped to a new thread: https://pulumi-community.slack.com/archives/CRH5ENVDX/p1604910083352900

Open in Slack

Previous Next