https://pulumi.com logo
Title
f

faint-forest-37701

04/09/2021, 3:10 PM
I'm using pulumi but have multiple AWS environments. How can I tell which environment pulumi is configured to use? Also, how can I switch between them
b

bumpy-summer-9075

04/09/2021, 3:11 PM
You can have something like this in your stack config:
config:
  aws:region: us-east-1
  aws:allowedAccountIds: ['123456789012']
  aws:assumeRole:
    roleArn: arn:aws:iam::123456789012:role/someRole
    sessionName: pulumi
f

faint-forest-37701

04/09/2021, 3:17 PM
Can you point me to any documentation to properly setup a role for pulumi in AWS?
I could probably wing it by creating something that has admin access to everything, but I'd rather learn what is actually needed
thank you for your help btw
b

bumpy-summer-9075

04/09/2021, 3:18 PM
Well that's not really Pulumi's responsability, you need to give the role permissions to manipulate the resources pulumi will handle
so if you want to create S3 buckets from pulumi, well you need to give that role permissions to manipulate S3 buckets (either all of them, or specific ones)
That's an AWS thing, and IAM roles and policies is a PITA on AWS
f

faint-forest-37701

04/09/2021, 3:23 PM
yeah that makes sense. So when youre working with this, do you go least privelage first and then add permissions as you go?
is that best practice
b

bumpy-summer-9075

04/09/2021, 3:33 PM
yes but it can be annoying
What I would recommend, if you're just starting out, is to declare your resources in Pulumi, and then do the preview/up/destroy operations, pulumi is going to spit out permissions error and you can use them to setup your IAM poilicies
it's not the cleanest way but it'll show you exactly which permissions you need, when you need them
b

billowy-army-68599

04/09/2021, 3:52 PM
I haven't tried this myself (yet) but there's a tool here to generate IAM policy documents from calls from the Pulumi CLI: https://github.com/iann0036/iamlive
👍 1