https://pulumi.com logo
Powered by
e

elegant-crayon-4967

07/14/2021, 7:00 PM
I’m having an issue where the AWS Provider doesn’t seem to be respecting the 
sessionName
param passed in. We have conditions setup on our service accounts that only allow assume role usage if the session name matches the correct phrase. I have Pulumi setup to match this 
_sessionName_: 'agent-example'
but in my cloudtrail logs I can clearly see the assume role operation denied and the request parameters show as “null” where it should show the sessionName.
w

witty-candle-66007

07/14/2021, 7:46 PM
I’ve not really done much with assume role, but I just ran this example: https://github.com/pulumi/examples/tree/master/aws-ts-assume-role And in the CreateBucket event in cloud trail, I see User name is “PulumiSession” which is the sessionName used in the example. And in the event record, I see “PulumiSession” as part of the principalId and the arn So the sessionName appears to be making it to AWS. Are you expecting it to be represented in some other way?
e

elegant-crayon-4967

07/14/2021, 8:28 PM
in cloud trail what do you see under the request parameters?
w

witty-candle-66007

07/14/2021, 8:31 PM
Copy code
"requestParameters": {
        "bucketName": "my-bucket-bb6c451",
        "Host": "<http://my-bucket-bb6c451.s3.amazonaws.com|my-bucket-bb6c451.s3.amazonaws.com>",
        "x-amz-acl": "private"
    },
So I think you’re saying the session name should show up in there?
e

elegant-crayon-4967

07/14/2021, 8:33 PM
yea, let me send you a good / bad example 🙂
bad:
good”
w

witty-candle-66007

07/14/2021, 8:42 PM
I’m a little confused why your good example has very different values in the requestParameters compared to my CreateBucket requestParameters.
Are you using assume_role for the provider when creating another role - the roleArn in your good example?
e

elegant-crayon-4967

07/14/2021, 9:04 PM
not sure what you’re asking…in the good example, that’s doing a straight 
aws sts assume-role
command
the bad example is letting the pulumi provider do it
w

witty-candle-66007

07/14/2021, 9:19 PM
Is the good example from a cloudtrail record for the assume-role event? In my case from the example referenced above, the only place the session name showed up at all was related to creating a resource (s3 bucket) using the aws provider created with the assume role stuff.
e

elegant-crayon-4967

07/14/2021, 10:15 PM
yea, cloud trail from the assume-role CLI command
but have you tested yours with a conditional?
that ONLY assumptions with that session name are allowed?
in the IAM Policy
w

witty-candle-66007

07/15/2021, 1:04 PM
No, but I’m wondering if the session name as such is seen in cloud trail when creating a resource as the assumed role. For example, if you use the AWS CLI to create, say, an S3 bucket, does it show the session name in the cloud trail request parameters?
e

elegant-crayon-4967

07/15/2021, 11:56 PM
well I’m not so worried about that as I am the actual process of assuming the role
that’s the parts that’s failing…when trying to assume a role
w

witty-candle-66007

07/16/2021, 1:10 PM
When I ran the example code I referenced above, I never saw an assume role event in Cloudtrail. So I am wondering if things work the same way as when executing the AWS CLI. But maybe that’s my mistake. When you run your pulumi code, do you see an assume role event? Is it an assume role event that you are referencing in your “bad example” above? If so, then there is probably a bug and I would recommend opening a github issue against the AWS provider.
e

elegant-crayon-4967

07/16/2021, 4:56 PM
yea I will open a github issue and just go from there. Right now I abandoned being able to switch providers with an IAM conditional in play for role session
Powered by