https://pulumi.com logo
s

steep-printer-55468

12/03/2019, 9:18 PM
Hello again, I have a question about cross-acount resources. I've got a zone in Route 53 managed in one account (call it A). I'm delegating a subdomain to a zone I'm managing with Pulumi in another account (B). I have a role and policy configured in A to permit B to make the necessary changes to Route 53. Is there any way in my config applying to account B that I can assume the role in A to create the record set in A's Route 53?
c

colossal-plastic-46140

12/03/2019, 9:19 PM
I believe you should be able to do this by setting up multiple providers
s

steep-printer-55468

12/03/2019, 9:20 PM
ah ha, using
aws.Provider
?
c

colossal-plastic-46140

12/03/2019, 9:31 PM
yea, my guess is that you should be able to pass a set of creds into the provider, ie say assume this role
q

quaint-artist-58613

12/03/2019, 9:39 PM
Hey Travis, According to pulumi documentation, you can create a new role and attach it to any resource you create within pulumi. Your account A is not managed by pulumi, which means you cannot do across account stack reference - getStackReference(). I suggest you hardcode the arn of your resources of account A in the trust policy attached to the role in account B.
s

steep-printer-55468

12/03/2019, 9:40 PM
yep, I've put the account ID and role ARN in config
not exactly hard-coded but I get what you mean 🙂
cool, that worked
thanks everyone!
q

quaint-artist-58613

12/03/2019, 10:10 PM
You are welcome. LOL.