millions-furniture-75402
02/24/2021, 8:20 PMaws --profile grey-sandbox-deployment ec2 describe-instances
will work, but aws:profile
in Pulumi.sandbox.yaml
will not work, complaining about missing AWS accesskey and secretaccesskeys.
pulumi preview
...
Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration
We see that assumeRole is supported by the provider https://www.pulumi.com/docs/reference/pkg/aws/provider/#providerassumerole — but there is no mfa_serial
not that we want to pass that to the AWS Provider…
It would be preferred if the AWS Provider understood the AWS config the same way as the aws cli.billowy-army-68599
02/24/2021, 8:25 PMmillions-furniture-75402
02/24/2021, 8:26 PMbillowy-army-68599
02/24/2021, 8:28 PMmillions-furniture-75402
02/24/2021, 8:29 PMbillowy-army-68599
02/24/2021, 8:33 PMmillions-furniture-75402
02/24/2021, 8:33 PMbillowy-army-68599
02/24/2021, 8:34 PMmillions-furniture-75402
02/24/2021, 8:34 PM$(grep "$(aws --profile $(pulumi config get aws:profile) sts get-caller-identity |jq -r '.UserId')" ~/.aws/cli/cache/*.json |jq -r '"export AWS_ACCESS_KEY_ID="+.Credentials.AccessKeyId,"export AWS_SECRET_ACCESS_KEY="+.Credentials.SecretAccessKey,"export AWS_SESSION_TOKEN="+.Credentials.SessionToken'); pulumi preview
little-cartoon-10569
02/24/2021, 10:58 PMmfa-profile
as their _source_profile_. We have a script that calls aws sts get-session-token
and aws configure set profile.mfa-profile....
to set up mfa-profile.
millions-furniture-75402
02/25/2021, 3:07 PMfunction pulumi () {
local PULUMI_COMMANDS_AWS_REQUIRED=(destroy logs preview refresh up update watch)
local AWS_REQUIRED=$([[ " ${PULUMI_COMMANDS_AWS_REQUIRED[@]} " =~ " ${1} " ]] && echo "true")
if [[ -n ${AWS_REQUIRED} ]]; then
local PULUMI_AWS_PROFILE=$(command pulumi config get aws:profile 2> /dev/null)
local ROLE_ARN=$(aws configure get profile.${PULUMI_AWS_PROFILE}.role_arn)
fi
if [[ -n ${ROLE_ARN} ]]; then
echo "Using AWS Profile: ${PULUMI_AWS_PROFILE}"
local AWS_ROLE_USER_ID=$(aws --profile ${PULUMI_AWS_PROFILE} sts get-caller-identity |jq -r '.UserId')
if [[ -z ${AWS_ROLE_USER_ID} ]]; then return; fi
local AWS_CREDENTIALS=$(grep -hs ${AWS_ROLE_USER_ID} ~/.aws/cli/cache/*.json)
AWS_ACCESS_KEY_ID=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.AccessKeyId') \
AWS_SECRET_ACCESS_KEY=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.SecretAccessKey') \
AWS_SESSION_TOKEN=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.SessionToken') \
command pulumi ${@}
else
command pulumi ${@}
fi
}
little-cartoon-10569
02/25/2021, 8:10 PM