https://pulumi.com logo
Title
r

red-football-97286

05/14/2021, 8:23 AM
Hi, does anyone have any tips how I can dynamically get the AWS account ID and pass it to a function to use to generate a JSON snippet?
d

damp-school-17708

05/14/2021, 8:30 AM
Inside a pulumi script or elsewhere? In Typescript we do:
import * as aws from '@pulumi/aws'

const current = aws.getCallerIdentity({})
const accountId = current.then((current) => current.accountId)
👍 1
in lambdas we do:
import { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts'
  
  const client = new STSClient({ region })
  const { Account: accountId } = await client.send(new GetCallerIdentityCommand({}))
r

red-football-97286

05/14/2021, 8:38 AM
Sorry, in pulumi. I've tried the top one, but it returns a Promise<string>, so when I pass it to the function and run pulumi up, I get [Promise: Object] instead of the account number...
const accountId: Promise<string>
Argument of type 'Promise<string>' is not assignable to parameter of type 'string | number'.
  Type 'Promise<string>' is not assignable to type 'number'.ts(2345)
Okta_Default_Roles.ts(18, 34): Did you forget to use 'await'?
d

damp-school-17708

05/14/2021, 8:51 AM
oh yes we then use interpolation
const sqsQueueUrl = interpolate`<https://sqs>.${region}.<http://amazonaws.com/${accountId}/link-medmeme-migration-sqs-${env}|amazonaws.com/${accountId}/link-medmeme-migration-sqs-${env}>`
r

red-football-97286

05/14/2021, 8:53 AM
This is the separate function that account id is passed to:
export function setPolicyDocument(accountId: any): string {
  return `{
    \"Version\":\"2012-10-17\",
    \"Statement\": [
        {
            \"Effect\":\"Allow\",
            \"Principal\":{
                \"Federated\":\"arn:aws:iam::${accountId}:saml-provider/sgn.okta-emea.com\"
            },
            \"Action\":\"sts:AssumeRoleWithSAML\",
            \"Condition\": {
                \"StringEquals\":{
                    \"SAML:aud\":\"<https://signin.aws.amazon.com/saml>\"
                    }
                }
            }
        ]
    }`;
}
I'm changing the
any
just trying to get it to work first!
d

damp-school-17708

05/14/2021, 9:02 AM
yep we do something similar, but use interpolate which resolves promises
accessPolicies: pulumi.interpolate`{
        "Statement": [
          {
            "Action": "es:*",
            "Effect": "Allow",
            "Principal": { "AWS": "${this.cognito.authenticatedRole.arn}" },
            "Resource": "arn:aws:es:${region}:${accountId}:domain/link-${env}-*/*"
          }
        ],
        "Version": "2012-10-17"
      }`,
r

red-football-97286

05/14/2021, 9:10 AM
keep getting this error, @damp-school-17708
pulumi:pulumi:Stack (Okta_AWS_Setup-dev):
    error: Running program 'C:\SGN_Patterns\Okta_AWS_Setup\application' failed with an unhandled exception:
    Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: could not validate provider configuration: 1 error occurred:
        * Invalid or unknown key
d

damp-school-17708

05/14/2021, 9:58 AM
We do have a section in our Pulumi configs
config:
  aws:region: us-east-1
Maybe is that?
I assume btw you use aws, I have no idea on other cloud providers
r

red-football-97286

05/14/2021, 10:01 AM
I am using AWS. Think i've sorted it. As per normal it was something simple, I had double quotes inside my pulumi.<stack>.yaml file. But the pulumi.interpolate also helped 🙂 Thank you kindly for your help.
l

little-cartoon-10569

05/16/2021, 9:07 PM
Aside: there is the
aws.iam.PolicyDocument
class that creates the JSON for you. You don't need to do anything special, sometimes you can even avoid interpolation:
new aws.iam.Policy(name, {
  policy: {
    Version: "2012-10-17",
    Statement": [
        {
            Effect: "Allow",
            "Principal": { "AWS": this.cognito.authenticatedRole.arn },
            "Resource": pulumi.interpololate`arn:aws:es:${region}:${accountId}:domain/link-${env}-*/*`
        }
    ]
  } as aws.iam.PolicyDocument
  // ...
}
r

red-football-97286

05/17/2021, 9:26 AM
That looks cleaner, thank you @little-cartoon-10569
c

colossal-australia-65039

05/17/2021, 8:15 PM
i would remove the
as aws.iam.PolicyDocument
casting since it removes type-safety in this scenario and is not necessary for it to compile
l

little-cartoon-10569

05/17/2021, 8:28 PM
Yes, it was added to show where the class is in the code. It's best not to have it.