https://pulumi.com logo
Title
n

nice-father-44210

11/23/2021, 5:35 PM
Hi All, if I’m running a Pulumi build from a dedicated ci-cd account, and the build machine assumes an admin role in my target account, is there a way for me to resolve the target account ID in code? In this situation
pulumi_aws.get_caller_identity().account_id
seems to return the ci-cd account.
f

freezing-van-87649

11/23/2021, 5:38 PM
get_caller_identity
has an optional
opts
param, I believe you can explicitly set the provider there
actually do you want to do anything in the
ci-cd
account? Or should all actions/calls be performed in the
target
account?
n

nice-father-44210

11/23/2021, 5:42 PM
In my case, all actions should be performed in the
target
account. I’d just like to have the build machine in
ci-cd
to use
AssumeRole
to assume a cross-account admin role in the
target
account.
And then, I’d like to be able to resolve the
target
account ID in code.
AssumeRole
is all taken care of in the CD tool itself. Once Pulumi build starts running, I don’t need any context switching.
f

freezing-van-87649

11/23/2021, 5:44 PM
well if
pulumi_aws.get_caller_identity().account_id
is returning the
ci-cd
account id then I think the assume role might not be working?
might want to try setting the pulumi aws
assumeRole
setting: https://www.pulumi.com/registry/packages/aws/installation-configuration/
n

nice-father-44210

11/23/2021, 5:46 PM
Let me confirm it’s working as I understand it. Thanks for feedback.
👍 1
I’ve confirmed it was indeed an issue with
AssumeRole
in the CD tool. Using the
aws:assumeRole
config settings worked like a charm. Thanks!
f

freezing-van-87649

11/23/2021, 6:59 PM
great!