https://pulumi.com logo
Title
s

sparse-tomato-5980

11/01/2021, 7:35 PM
Hey folks! very basic IAM/Pulumi question: In these docs - don't need to read it yet, just linking for context https://docs.aws.amazon.com/apigateway/latest/developerguide/grant-permissions-to-create-vpclink.html it basically says "<create the following IAM policy/role> and <*Assign the IAM role to you or a user in your account who is creating VPC links*>" In my situation, we're strictly provisioning stuff in Pulumi with the AWS root user. So, two questions: ā€¢ Is it possible that this recommendation doesn't make sense for the AWS root user, who I'd assume has access to everything already? ā€¢ How does one attach an IAM role to <the AWS root user>?
l

little-cartoon-10569

11/01/2021, 7:45 PM
Don't use the root user. Especially not for Pulumi.
The root user should be used for recovering after a disaster, like losing the credentials of an admin user. And pretty much nothing else.
s

sparse-tomato-5980

11/01/2021, 7:46 PM
Yep, this is certainly not for production šŸ™‚
Important
We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User. For a tutorial on how to set up an administrator for daily use, see Creating your first IAM admin user and user group.
āœ… 1
w

worried-city-86458

11/01/2021, 8:14 PM
Ideally, create an iam role - with the required perms - and assume the role, which can be passed as a parameter to the aws provider.
l

little-cartoon-10569

11/01/2021, 8:38 PM
Root user doesn't generally assume roles. I've never even tried.. why assume role as a root user, I can already do everything?
It's the restricted IAM user that needs to assume roles. And should.
Your (Pulumi's) AWS profile / env vars shouldn't be the root creds.
w

worried-city-86458

11/01/2021, 9:29 PM
Oh I don't mean to use the root user at all. Create another user and an iam role that the user should assume.
b

brave-nightfall-19158

11/02/2021, 8:45 AM
@sparse-tomato-5980 you used to be able to create access keys for the root user but I don't know if you still can. It used to be in a separate section to IAM, I think in root account settings in the dropdown in the top right. If you could, you don't need to add any IAM roles / policies as the root user has access to everything anyway.