Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
f
faint-forest-37701
04/09/2021, 3:10 PMI'm using pulumi but have multiple AWS environments. How can I tell which environment pulumi is configured to use? Also, how can I switch between them
b
bumpy-summer-9075
04/09/2021, 3:11 PMYou can have something like this in your stack config:
config:
aws:region: us-east-1
aws:allowedAccountIds: ['123456789012']
aws:assumeRole:
roleArn: arn:aws:iam::123456789012:role/someRole
sessionName: pulumif
faint-forest-37701
04/09/2021, 3:17 PMCan you point me to any documentation to properly setup a role for pulumi in AWS?
I could probably wing it by creating something that has admin access to everything, but I'd rather learn what is actually needed
thank you for your help btw
b
bumpy-summer-9075
04/09/2021, 3:18 PMWell that's not really Pulumi's responsability, you need to give the role permissions to manipulate the resources pulumi will handle
so if you want to create S3 buckets from pulumi, well you need to give that role permissions to manipulate S3 buckets (either all of them, or specific ones)
That's an AWS thing, and IAM roles and policies is a PITA on AWS
f
faint-forest-37701
04/09/2021, 3:23 PMyeah that makes sense. So when youre working with this, do you go least privelage first and then add permissions as you go?
is that best practice
b
bumpy-summer-9075
04/09/2021, 3:33 PMyes but it can be annoying
What I would recommend, if you're just starting out, is to declare your resources in Pulumi, and then do the preview/up/destroy operations, pulumi is going to spit out permissions error and you can use them to setup your IAM poilicies
it's not the cleanest way but it'll show you exactly which permissions you need, when you need them
b
billowy-army-68599
04/09/2021, 3:52 PMI haven't tried this myself (yet) but there's a tool here to generate IAM policy documents from calls from the Pulumi CLI:
https://github.com/iann0036/iamlive
👍 1