https://pulumi.com logo
#aws
Title
# aws
p

purple-orange-91853

04/22/2021, 9:25 PM
I am trying to set up Pulumi to work with AWS role switching. We utilize several AWS accounts tied back to a single AWS identity account and we don't have users defined in any other account but our identity account. I've got my aws cli configured and I can specify a profile and it connects to the correct role_arn and account. However when trying to leverage this functionality in Pulumi it errors out with either
Copy code
error configuring Terraform AWS Provider: Error creating AWS session: SharedConfigAssumeRoleError: failed to load assume role for arn:aws:iam::ACCTNUM:role/ROLE, source profile dev_pulumi has no shared credentials
or
Copy code
error configuring Terraform AWS Provider: Error creating AWS session: CredentialRequiresARNError: credential type source_profile requires role_arn, profile dev-pulumi
My aws cli config
Copy code
.aws/credentials
[default]
aws_access_key_id = redacted
aws_secret_access_key = redacted

[prod-main]
aws_access_key_id = redacted
aws_secret_access_key = redacted

[ecr-dev]
aws_access_key_id = redacted
aws_secret_access_key = redacted

[dev-pulumi]
aws_access_key_id = redacted
aws_secret_access_key = redacted

[default]
region = us-east-1

.aws/config
[profile prod]
source_profile = prod-main
role_arn = arn:aws:iam::redacted:role/redacted-TEMP
mfa_serial = arn:aws:iam::redacted:mfa/tony

[profile dev]
source_profile = prod-main
role_arn = arn:aws:iam::redacted:role/redacted-TEMP
mfa_serial = arn:aws:iam::redacted:mfa/tony

[profile eks-dev]
role_arn = arn:aws:iam::redacted:role/redacted-eksRole-role-redacted
source_profile = prod-main
mfa_serial = arn:aws:iam::redacted:mfa/tony

[profile ecr-dev]
source_profile = ecr-dev

[profile dev-pulumi]
source_profile = dev_pulumi
role_arn = arn:aws:iam::redacted:role/redacted-TEMP
I am currently just getting started with Pulumi so I am just following the basic steps outlined here: https://www.pulumi.com/docs/get-started/aws/begin/.
b

billowy-army-68599

04/22/2021, 9:29 PM
hey Tony! I could be wrong, but i think there's a typo here?
Copy code
[dev-pulumi]
aws_access_key_id = redacted
aws_secret_access_key = redacted

[profile dev-pulumi]
source_profile = dev_pulumi
role_arn = arn:aws:iam::redacted:role/redacted-TEMP
shouldn't this be
dev-pulumi
(dash, not underscore?) I don't see any
dev_pulumi
profile
p

purple-orange-91853

04/22/2021, 9:39 PM
well that's horribly embarassing
that totally was the issue. thank you much!
b

billowy-army-68599

04/22/2021, 9:42 PM
glad it was simple!
p

purple-orange-91853

04/22/2021, 9:45 PM
well maybe not... just realized in testing I created a user out of scope in the dev account to test that it worked and it worked with the user/role being in the same account. When I switch the awsprofile in the Pulumi.dev.yaml to just
dev
file it fails with
Copy code
error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration
this is the one that is logging in to the identity account and then role switching to another account entirely. for example the identity account number is 123456, and the dev account number is 098765
Copy code
[profile prod]
source_profile = prod-main
role_arn = arn:aws:iam::123456:role/role-TEMP
mfa_serial = arn:aws:iam::123456:mfa/tony

[profile dev]
source_profile = prod-main
role_arn = arn:aws:iam::098765:role/role-TEMP
mfa_serial = arn:aws:iam::123456:mfa/tony
b

billowy-army-68599

04/22/2021, 10:19 PM
i'm not totally sure of the answer to that, it seems you're using profiles in a fairly unique way and I'm unfortunately not familiar with it - ultimately Pulumi will use the profile if it's set up correctly, it uses the AWS GO SDK
a

ambitious-father-68746

04/23/2021, 9:00 AM
@purple-orange-91853 Check the Pulumi section here, maybe it will help: https://gist.github.com/Sodki/95b04ee9f4f44ed81de23b0cff3a4685
p

purple-orange-91853

04/23/2021, 3:12 PM
for context I am using the standard method by AWS to authenticate against different accounts. The roles and policies are configured correctly as I can switch via the AWS CLI and have access to the correct resources when using
--profile
in my cli strings. See
Example scenario: Allow an instance profile role to switch to a role in another account
in this AWS doc for reference. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html
b

billowy-army-68599

04/23/2021, 4:21 PM
@purple-orange-91853 it might be easier to jump on a call to get this configured, can you grab some time from here for next week? https://calendly.com/d/mxtb-bs7b/30-minute-meeting
4 Views