https://pulumi.com logo
Join Slack
Powered by
I’m having an issue where the AWS Provider doesn’t...
# general
e
I’m having an issue where the AWS Provider doesn’t seem to be respecting the 
sessionName
param passed in. We have conditions setup on our service accounts that only allow assume role usage if the session name matches the correct phrase. I have Pulumi setup to match this 
_sessionName_: 'agent-example'
but in my cloudtrail logs I can clearly see the assume role operation denied and the request parameters show as “null” where it should show the sessionName.
w
I’ve not really done much with assume role, but I just ran this example: https://github.com/pulumi/examples/tree/master/aws-ts-assume-role And in the CreateBucket event in cloud trail, I see User name is “PulumiSession” which is the sessionName used in the example. And in the event record, I see “PulumiSession” as part of the principalId and the arn So the sessionName appears to be making it to AWS. Are you expecting it to be represented in some other way?
e
in cloud trail what do you see under the request parameters?
w
Copy code
"requestParameters": {
        "bucketName": "my-bucket-bb6c451",
        "Host": "<http://my-bucket-bb6c451.s3.amazonaws.com|my-bucket-bb6c451.s3.amazonaws.com>",
        "x-amz-acl": "private"
    },
So I think you’re saying the session name should show up in there?
e
yea, let me send you a good / bad example 🙂
bad:
good”
w
I’m a little confused why your good example has very different values in the requestParameters compared to my CreateBucket requestParameters.
Are you using assume_role for the provider when creating another role - the roleArn in your good example?
e
not sure what you’re asking…in the good example, that’s doing a straight 
aws sts assume-role
command
the bad example is letting the pulumi provider do it
w
Is the good example from a cloudtrail record for the assume-role event? In my case from the example referenced above, the only place the session name showed up at all was related to creating a resource (s3 bucket) using the aws provider created with the assume role stuff.
e
yea, cloud trail from the assume-role CLI command
but have you tested yours with a conditional?
that ONLY assumptions with that session name are allowed?
in the IAM Policy
w
No, but I’m wondering if the session name as such is seen in cloud trail when creating a resource as the assumed role. For example, if you use the AWS CLI to create, say, an S3 bucket, does it show the session name in the cloud trail request parameters?
e
well I’m not so worried about that as I am the actual process of assuming the role
that’s the parts that’s failing…when trying to assume a role
w
When I ran the example code I referenced above, I never saw an assume role event in Cloudtrail. So I am wondering if things work the same way as when executing the AWS CLI. But maybe that’s my mistake. When you run your pulumi code, do you see an assume role event? Is it an assume role event that you are referencing in your “bad example” above? If so, then there is probably a bug and I would recommend opening a github issue against the AWS provider.
e
yea I will open a github issue and just go from there. Right now I abandoned being able to switch providers with an IAM conditional in play for role session
Open in Slack
PreviousNext
Powered by