https://pulumi.com logo
#general
Title
# general
b

busy-umbrella-36067

06/28/2019, 3:27 PM
I'm getting a sort-of race condition when using an IAM role to create an AWS provider. Pulumi tries to assume the role immidiately before IAM has a chance to register the permissions. An apply results in
error: The role "arn:aws:iam::xxx:role/xxx" cannot be assumed.
Running
pulumi update
a second time, after the role has been fully created successfully creates a useable provider.
Copy code
import * as aws from "@pulumi/aws";

const role = new aws.iam.Role("testrole", {
  assumeRolePolicy: aws.getCallerIdentity().then(id => {
    return {
      Version: "2012-10-17",
      Statement: [
        {
          Effect: "Allow",
          Principal: {
            AWS: `arn:aws:iam::${id.accountId}:root`
          },
          Action: "sts:AssumeRole"
        }
      ]
    };
  })
});

const rolePolicy = new aws.iam.Policy("test", {
  description: "Full S3 Admin",
  policy: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "s3:*",
        Resource: "*"
      }
    ]
  }
});

const rolePolicyAttachment = new aws.iam.RolePolicyAttachment("test", {
  policyArn: rolePolicy.arn.apply(arn => arn),
  role: role
});

const roleProvider = new aws.Provider(
  "test",
  {
    assumeRole: {
      roleArn: role.arn
    }
  },
  { dependsOn: rolePolicyAttachment }
);

// try to make an s3 bucket using role provider
// this will fail once and then work
const s3Bucket = new aws.s3.Bucket(
  "test",
  {},
  { provider: roleProvider, dependsOn: roleProvider }
);