https://pulumi.com logo
Join Slack
Powered by
I'm unable to get Pulumi to assume a role when aut...
# aws
g
I'm unable to get Pulumi to assume a role when authenticated via SSO. Details in thread.
The 
assume_role
policy attached to the role:
Copy code
assume_role_policy_document = aws.iam.get_policy_document(
    statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["sts:AssumeRoleWithSAML", "sts:AssumeRole"],
            effect="Allow",
            principals=[
                aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                    identifiers=[
                        "arn:aws:iam::{account id}:saml-provider/AWSSSO_d3b6798fb784ed5e_DO_NOT_DELETE"
                    ],
                    type="Federated"
                ),
            ],
            conditions=[
                aws.iam.GetPolicyDocumentStatementConditionArgs(
                    test="StringEquals",
                    values=["<https://signin.aws.amazon.com/saml>"],
                    variable="SAML:aud",
                ),
            ],
        )
    ]
)
which comports with https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html#idp_saml_Prerequisites
I'm seeing this error:
Copy code
error: 1 error occurred:
        * error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::{account id}:role/debug) cannot be assumed.
    
    There are a number of possible causes of this - the most common are:
      * The credentials used in order to assume the role are invalid
      * The credentials do not have appropriate permission to assume the role
      * The role ARN is not valid
    
    Error: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
~/.aws/config
contains the following (it's using aws2-wrap):
Copy code
[default]
region = us-west-2
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}
credential_process = aws2-wrap --process --profile default

[profile chaueter-sandbox]
region = us-west-2
role_arn = arn:aws:iam::{account id}:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dbc09583d3a27737
source_profile = default
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}
Pulumi is able to authenticate with the 
chaueter-sandbox
profile and CRUD resources. However, it cannot assume the role set by 
assume_role
in an 
aws.Provider
:
Copy code
aws.Provider(
        resource_name="provider",
        assume_role=aws.ProviderAssumeRoleArgs(
            duration_seconds=2 * 60 * 60,
            role_arn="{the role arn}",
            session_name="session",
        ),
        max_retries=1,
        profile=os.environ["AWS_PROFILE"],
        region=pulumi.Config("aws").require("region"),
    )
I tried this condition for the 
assume_role
policy:
Copy code
test="StringEquals",
values=["<mailto:chaueter@valohealth.com|chaueter@valohealth.com>"],
variable="SAML:mail",
and got the same error message.
7 Views
Open in Slack
PreviousNext
Powered by