https://pulumi.com logo
Title
n

numerous-printer-41511

11/19/2021, 1:19 AM
Is there a better way than just manually running
aws sts assume-role
and then exporting the key/secret/token before each
pulumi up/apply
?
l

little-cartoon-10569

11/19/2021, 1:25 AM
The Pulumi AWS provider has an assumeRole field. Create a provider for each role you need. https://www.pulumi.com/registry/packages/aws/api-docs/provider/#properties
n

numerous-printer-41511

11/19/2021, 4:20 AM
do you really have to pass this new provider to every resource you create?
l

little-cartoon-10569

11/19/2021, 4:23 AM
Yes. Though if you're using ComponentResources, you can rely on the inheritance of providers. Child resources automatically get their parent's provider, unless overridden.
You wouldn't want a provider that can deploy to more than one region or whatever. That would allow for accidentally deploying to the wrong place. If one function's side effect changes the region.. chaos could ensue.
n

numerous-printer-41511

11/19/2021, 4:31 AM
makes sense
am I correct in thinking a “Provider” is basically some settings on the AWS client?
auth + region, that kind of thing
doesn’t really control any business logic
Hey @little-cartoon-10569 — after using a customer provider, I’m seeing that since the provider is “changing”, it tries to recreate the resource. Do you know of a way around this?
l

little-cartoon-10569

11/21/2021, 7:52 PM
Yes @numerous-printer-41511, a Pulumi provider is the API client, wrapping config values and auth, and orchestrating the CRUD actions.
When changing a provider, the resources do get destroyed, unfortunately. There are workarounds, none particularly pleasant.
You can create the new provider with the same settings as the default provider,, then export the stack, edit all the resources to use the explicit provider, and import the stack.
You can create a new stack that uses the explicit provider, import all the resources to it, and delete them from the old stack.
n

numerous-printer-41511

11/21/2021, 7:54 PM
ah that makes sense. A bit error prone, but that’s a good solution
l

little-cartoon-10569

11/21/2021, 7:55 PM
I'm pretty sure that aliases don't work to alias providers, unfortunately 😞