wooden-student-58350
05/19/2021, 6:11 PMaws.Provider
to assume role into a sub-account role and create a resource in that sub-account:
# ~/.aws/credentials
[bastion-profile]
aws_access_key_id = redact
aws_secret_access_key = redact
# Pulumi.<stack>.yaml
…
config:
aws:allowedAccountIds:
- <bastionAccountId>
aws:profile: bastion-profile
aws:region: eu-west-2
…
# index.ts
// Assume role into IAM Role "role-manager" in sub-account.
const subAccountProvider = new aws.Provider("…", {
region: "eu-west-2",
allowedAccountIds: [subAccountId],
assumeRole: {
sessionName "role-manager-session",
roleArn: `arn:aws:iam::${subAccountId}:role/role-manager`,
externalId: "…",
durationSeconds: 60 * 5,
},
});
// Create a new resource in the sub-account.
const newRoleInSubAccount = new aws.iam.Role("new-role", {
…
}, {
provider: subAccountProvider,
});
On pulumi up
, I get the following error:
error: 1 error occurred:
* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<redact>:role/role-manager) cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Error: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
I have verified:
• aws.getCallerIdentity()
returns the expected IAM User from the “bastion-profile” credentials in ~/.aws/credentials
. That User has permission for the sts:AssumeRole
action on the Role ARN in the error message.
• The IAM Role ARN in the error message exists, and its trust relationship allows the sts:AssumeRole
action for any user in the bastion account.
• The default AWS provider works fine to create/destroy resources in the bastion account, so the credentials are valid.
What am I missing? Does Pulumi treat ~/.aws/credentials
differently for explicit providers vs the default provider?billowy-army-68599
05/19/2021, 6:33 PM~/.aws/credentials
should work.
Does assuming the rule manually work?wooden-student-58350
05/19/2021, 6:54 PMParameter validation failed:
Invalid value for parameter DurationSeconds, value: 300, valid min value: 900
Changing the duration to 900 in the Pulumi program fixed the issue 🙂billowy-army-68599
05/19/2021, 6:58 PMwooden-student-58350
05/19/2021, 7:00 PM