https://pulumi.com logo
Powered by
Title
w

wooden-student-58350

05/19/2021, 6:11 PM
Hi, I’m using a Pulumi program to create some resources on a bastion account and several sub-accounts, but I’m stuck with an error when I try to use a non-default 
aws.Provider
to assume role into a sub-account role and create a resource in that sub-account: 
# ~/.aws/credentials

[bastion-profile]
aws_access_key_id = redact
aws_secret_access_key = redact


# Pulumi.<stack>.yaml
…
config:
 aws:allowedAccountIds:
 - <bastionAccountId>
 aws:profile: bastion-profile
 aws:region: eu-west-2
 …


# index.ts

// Assume role into IAM Role "role-manager" in sub-account.
const subAccountProvider = new aws.Provider("…", {
   region: "eu-west-2",
   allowedAccountIds: [subAccountId],
   assumeRole: {
      sessionName "role-manager-session",
      roleArn: `arn:aws:iam::${subAccountId}:role/role-manager`,
      externalId: "…",
      durationSeconds: 60 * 5,
   },
});

// Create a new resource in the sub-account.
const newRoleInSubAccount = new aws.iam.Role("new-role", {
   …
}, {
   provider: subAccountProvider,
});
On 
pulumi up
, I get the following error: 
error: 1 error occurred:
    * error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<redact>:role/role-manager) cannot be assumed.
   
  There are a number of possible causes of this - the most common are:
   * The credentials used in order to assume the role are invalid
   * The credentials do not have appropriate permission to assume the role
   * The role ARN is not valid
   
  Error: NoCredentialProviders: no valid providers in chain. Deprecated.
    For verbose messaging see aws.Config.CredentialsChainVerboseErrors
I have verified: • 
aws.getCallerIdentity()
returns the expected IAM User from the “bastion-profile” credentials in 
~/.aws/credentials
. That User has permission for the 
sts:AssumeRole
action on the Role ARN in the error message. • The IAM Role ARN in the error message exists, and its trust relationship allows the 
sts:AssumeRole
action for any user in the bastion account. • The default AWS provider works fine to create/destroy resources in the bastion account, so the credentials are valid. What am I missing? Does Pulumi treat 
~/.aws/credentials
differently for explicit providers vs the default provider?
b

billowy-army-68599

05/19/2021, 6:33 PM
Pulumi uses the AWS GO SDK for all its calls, so anything you're using with 
~/.aws/credentials
should work. Does assuming the rule manually work?
w

wooden-student-58350

05/19/2021, 6:54 PM
Aha! I tried it manually with the AWS CLI, and it gave me this error: 
Parameter validation failed:
Invalid value for parameter DurationSeconds, value: 300, valid min value: 900
Changing the duration to 900 in the Pulumi program fixed the issue 🙂
Thanks for the suggestion
Should the underlying error message be passed through to the output of pulumi preview/up?
b

billowy-army-68599

05/19/2021, 6:58 PM
it's a little difficult for us to capture them, but we're working on some improvements here, sorry for the lack of info
w

wooden-student-58350

05/19/2021, 7:00 PM
No problem, thanks for your speedy response, very helpful 🙏
#awsJoin Slack
Powered by