lemon-dog-29241
09/13/2021, 1:08 AMlittle-cartoon-10569
09/13/2021, 1:29 AMlemon-dog-29241
09/13/2021, 1:43 AMlittle-cartoon-10569
09/13/2021, 1:44 AMlemon-dog-29241
09/13/2021, 1:45 AMlittle-cartoon-10569
09/13/2021, 1:46 AMlemon-dog-29241
09/13/2021, 1:46 AMlittle-cartoon-10569
09/13/2021, 1:47 AMlemon-dog-29241
09/13/2021, 1:49 AMstack.set_config("aws:accessKey", auto.ConfigValue(value="accesskeyhere"))
stack.set_config("aws:secretKey", auto.ConfigValue(value="secretkeyhere"))
So I guess my wuestion is what do I pass in there? Because all I have from the not-my-account is the rolelittle-cartoon-10569
09/13/2021, 1:51 AMlemon-dog-29241
09/13/2021, 1:53 AMlittle-cartoon-10569
09/13/2021, 2:20 AMlemon-dog-29241
09/13/2021, 3:27 AMbillowy-army-68599
09/13/2021, 4:53 AMlemon-dog-29241
09/14/2021, 1:04 AMaws:assumeRole.roleArn
but that didn't work. Then I tried doing that and setting my aws secret and access key and that didn't work either. I'm getting the error: * Invalid or unknown key
. I also saw in some docs somewhere that when you set up a provider, you have to pass them into the ResourceOptions
for the resources you want to use that provider for ... what if I want all resources to be created with this role?
project_settings = auto.ProjectSettings(
name=project_name,
runtime="python",
main="/tmp",
backend=auto.ProjectBackend(url=f"<s3://pulumi-state>-{org_id}/{state_path}"))
stack = auto.create_or_select_stack(stack_name=stack_name,
project_name=project_name,
program=program,
work_dir="/tmp",
opts=auto.LocalWorkspaceOptions(project_settings=project_settings))
stack.workspace.install_plugin("aws", "v4.15.0")
stack.set_config("aws:assumeRole.roleArn", auto.ConfigValue(value=EnVar))
stack.set_config("aws:accessKey", auto.ConfigValue(value="EnvVar"))
stack.set_config("aws:secretKey", auto.ConfigValue(value="EnVar"))
billowy-army-68599
09/16/2021, 11:22 AMlemon-dog-29241
01/19/2022, 4:46 PMbillowy-army-68599
01/19/2022, 4:54 PMlemon-dog-29241
01/19/2022, 4:55 PMbillowy-army-68599
01/19/2022, 4:58 PMaws sts assume-role
call inside the lambda, and then you need to check you have the right role with aws sts get-caller-identity
- do all of this before you do anything with Pulumi
Once you've done that, your Pulumi program can either:
⢠use ambient/env var credentials
⢠use configuration options
One thing you haven't mentioned is setting a session token. the STS service with assume role also emits a session token, and you'll need to pass that to do cross account provisioninglemon-dog-29241
01/19/2022, 5:01 PMbillowy-army-68599
01/19/2022, 5:04 PMlemon-dog-29241
01/19/2022, 5:07 PMred-match-15116
01/19/2022, 10:40 PMfresh-minister-66960
11/24/2022, 7:48 AMlemon-dog-29241
12/02/2022, 7:56 PMdef main(org_id, env, state_path, program, role_arn):
try:
client = boto3.client('sts')
...
response = client.assume_role(RoleArn=role_arn,
RoleSessionName='GetBuildBot',
ExternalId=org_id)
os.environ['PULUMI_CONFIG_PASSPHRASE'] = f'{project_name}{stack_name}'
os.environ['AWS_ACCESS_KEY_ID'] = response['Credentials']['AccessKeyId']
os.environ['AWS_SECRET_ACCESS_KEY'] = response['Credentials']['SecretAccessKey']
os.environ['AWS_SESSION_TOKEN'] = response['Credentials']['SessionToken']
Unless you mean something else? I might be able to help if you share a bit more.little-cartoon-10569
12/03/2022, 1:07 AM