Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
s
sparse-tomato-5980
11/01/2021, 7:35 PMHey folks! very basic IAM/Pulumi question:
In these docs - don't need to read it yet, just linking for context https://docs.aws.amazon.com/apigateway/latest/developerguide/grant-permissions-to-create-vpclink.html
it basically says "<create the following IAM policy/role> and <*Assign the IAM role to you or a user in your account who is creating VPC links*>"
In my situation, we're strictly provisioning stuff in Pulumi with the AWS root user.
So, two questions:
ā¢ Is it possible that this recommendation doesn't make sense for the AWS root user, who I'd assume has access to everything already?
ā¢ How does one attach an IAM role to <the AWS root user>?
l
little-cartoon-10569
11/01/2021, 7:45 PMDon't use the root user. Especially not for Pulumi.
The root user should be used for recovering after a disaster, like losing the credentials of an admin user. And pretty much nothing else.
s
sparse-tomato-5980
11/01/2021, 7:46 PMYep, this is certainly not for production š
l
little-cartoon-10569
11/01/2021, 7:46 PMImportant
We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User. For a tutorial on how to set up an administrator for daily use, see Creating your first IAM admin user and user group.
ā
1
w
worried-city-86458
11/01/2021, 8:14 PMIdeally, create an iam role - with the required perms - and assume the role, which can be passed as a parameter to the aws provider.
l
little-cartoon-10569
11/01/2021, 8:38 PMRoot user doesn't generally assume roles. I've never even tried.. why assume role as a root user, I can already do everything?
It's the restricted IAM user that needs to assume roles. And should.
Your (Pulumi's) AWS profile / env vars shouldn't be the root creds.
w
worried-city-86458
11/01/2021, 9:29 PMOh I don't mean to use the root user at all. Create another user and an iam role that the user should assume.
b
brave-nightfall-19158
11/02/2021, 8:45 AM@sparse-tomato-5980 you used to be able to create access keys for the root user but I don't know if you still can. It used to be in a separate section to IAM, I think in root account settings in the dropdown in the top right. If you could, you don't need to add any IAM roles / policies as the root user has access to everything anyway.