This message was deleted.
# generals
sparse-intern-71089
07/14/2021, 7:00 PMThis message was deleted.
w
witty-candle-66007
07/14/2021, 7:46 PMI’ve not really done much with assume role, but I just ran this example: https://github.com/pulumi/examples/tree/master/aws-ts-assume-role
And in the CreateBucket event in cloud trail, I see User name is “PulumiSession” which is the sessionName used in the example.
And in the event record, I see “PulumiSession” as part of the principalId and the arn
So the sessionName appears to be making it to AWS.
Are you expecting it to be represented in some other way?
e
elegant-crayon-4967
07/14/2021, 8:28 PMin cloud trail what do you see under the request parameters?
w
witty-candle-66007
07/14/2021, 8:31 PM Copy code
"requestParameters": {
"bucketName": "my-bucket-bb6c451",
"Host": "<http://my-bucket-bb6c451.s3.amazonaws.com|my-bucket-bb6c451.s3.amazonaws.com>",
"x-amz-acl": "private"
},witty-candle-66007
07/14/2021, 8:31 PMSo I think you’re saying the session name should show up in there?
e
elegant-crayon-4967
07/14/2021, 8:33 PMyea, let me send you a good / bad example 🙂
elegant-crayon-4967
07/14/2021, 8:36 PMbad:
elegant-crayon-4967
07/14/2021, 8:37 PMgood”
w
witty-candle-66007
07/14/2021, 8:42 PMI’m a little confused why your good example has very different values in the requestParameters compared to my CreateBucket requestParameters.
witty-candle-66007
07/14/2021, 8:43 PMAre you using assume_role for the provider when creating another role - the roleArn in your good example?
e
elegant-crayon-4967
07/14/2021, 9:04 PMnot sure what you’re asking…in the good example, that’s doing a straight
aws sts assume-roleelegant-crayon-4967
07/14/2021, 9:04 PMthe bad example is letting the pulumi provider do it
w
witty-candle-66007
07/14/2021, 9:19 PMIs the good example from a cloudtrail record for the assume-role event?
In my case from the example referenced above, the only place the session name showed up at all was related to creating a resource (s3 bucket) using the aws provider created with the assume role stuff.
e
elegant-crayon-4967
07/14/2021, 10:15 PMyea, cloud trail from the assume-role CLI command
elegant-crayon-4967
07/14/2021, 10:15 PMbut have you tested yours with a conditional?
elegant-crayon-4967
07/14/2021, 10:15 PMthat ONLY assumptions with that session name are allowed?
elegant-crayon-4967
07/14/2021, 10:15 PMin the IAM Policy
w
witty-candle-66007
07/15/2021, 1:04 PMNo, but I’m wondering if the session name as such is seen in cloud trail when creating a resource as the assumed role.
For example, if you use the AWS CLI to create, say, an S3 bucket, does it show the session name in the cloud trail request parameters?
e
elegant-crayon-4967
07/15/2021, 11:56 PMwell I’m not so worried about that as I am the actual process of assuming the role
elegant-crayon-4967
07/15/2021, 11:56 PMthat’s the parts that’s failing…when trying to assume a role
w
witty-candle-66007
07/16/2021, 1:10 PMWhen I ran the example code I referenced above, I never saw an assume role event in Cloudtrail. So I am wondering if things work the same way as when executing the AWS CLI.
But maybe that’s my mistake.
When you run your pulumi code, do you see an assume role event? Is it an assume role event that you are referencing in your “bad example” above?
If so, then there is probably a bug and I would recommend opening a github issue against the AWS provider.
e
elegant-crayon-4967
07/16/2021, 4:56 PMyea I will open a github issue and just go from there. Right now I abandoned being able to switch providers with an IAM conditional in play for role session
2 Views