Hello again, I have a question about cross-acount ...
# generals
steep-printer-55468
12/03/2019, 9:18 PMHello again, I have a question about cross-acount resources.
I've got a zone in Route 53 managed in one account (call it A). I'm delegating a subdomain to a zone I'm managing with Pulumi in another account (B). I have a role and policy configured in A to permit B to make the necessary changes to Route 53. Is there any way in my config applying to account B that I can assume the role in A to create the record set in A's Route 53?
c
colossal-plastic-46140
12/03/2019, 9:19 PMI believe you should be able to do this by setting up multiple providers
s
steep-printer-55468
12/03/2019, 9:20 PMah ha, using
aws.Providerc
colossal-plastic-46140
12/03/2019, 9:31 PMyea, my guess is that you should be able to pass a set of creds into the provider, ie say assume this role
colossal-plastic-46140
12/03/2019, 9:36 PMq
quaint-artist-58613
12/03/2019, 9:39 PMHey Travis,
According to pulumi documentation, you can create a new role and attach it to any resource you create within pulumi.
Your account A is not managed by pulumi, which means you cannot do across account stack reference - getStackReference(). I suggest you hardcode the arn of your resources of account A in the trust policy attached to the role in account B.
s
steep-printer-55468
12/03/2019, 9:40 PMyep, I've put the account ID and role ARN in config
steep-printer-55468
12/03/2019, 9:40 PMnot exactly hard-coded but I get what you mean 🙂
steep-printer-55468
12/03/2019, 9:50 PMcool, that worked
steep-printer-55468
12/03/2019, 9:50 PMthanks everyone!
q
quaint-artist-58613
12/03/2019, 10:10 PMYou are welcome. LOL.