https://pulumi.com logo
Powered by
#aws
Title
s

sticky-bear-14421

11/10/2020, 10:43 AM
Hi, I've got some trouble chaining providers with assumeRole and I guess Im doing something perfectly wrong, as the role chaining works in my shell. When executing pulumi up I am in the starting role, then I create the first provider ("intermediate") and execute aws.getCallerIdentity() and I get the correct json Then I use this provider to assume into the destination role inside a second account but ..
Intermediate Provider config:
Copy code
// Intermediate Provider
const providerIntermediate = new aws.Provider(
  "assume-role",
  {
    assumeRole: {
      roleArn: "arn:aws:iam::111111111111:role/intermediate",
      sessionName: "intermediate",
    },
    region: aws.config.requireRegion(),
});

// sts get-caller-identity for intermediate role provider
aws.getCallerIdentity({provider: providerIntermediate}).then(onfulfilled => console.log(onfulfilled),onrejected => console.log(onrejected))
This one will end in an error:
Copy code
// Destination provider
const providerDestination = new aws.Provider("assume-dest-role", {
  assumeRole: {
    roleArn: "arn:aws:iam::222222222222:role/destination",
    sessionName: "destination",
  },
  region: aws.config.requireRegion(),
},
  { provider: providerIntermediate, dependsOn: providerIntermediate }
);

// This one failes ..
aws.getCallerIdentity({provider: providerDestination}).then(onfulfilled => console.log(onfulfilled),onrejected => console.log("rejected with: "+ onrejected))
the console log output with the onrejected:
Copy code
rejected with: Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
        * error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::222222222222:role/destination) cannot be assumed.
    There are a number of possible causes of this - the most common are:
      * The credentials used in order to assume the role are invalid
      * The credentials do not have appropriate permission to assume the role
      * The role ARN is not valid
    Error: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
Any Ideas what I am missing? For the completness my execution flow is: my_execution_role -- assumes --> intermediateRole -- assumes --> Destination Role
I am particular puzzled by the "no valid providers in chain" message
37 Views
Powered by