red-football-97286
05/14/2021, 8:23 AMdamp-school-17708
05/14/2021, 8:30 AMimport * as aws from '@pulumi/aws'
const current = aws.getCallerIdentity({})
const accountId = current.then((current) => current.accountId)
import { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts'
const client = new STSClient({ region })
const { Account: accountId } = await client.send(new GetCallerIdentityCommand({}))
red-football-97286
05/14/2021, 8:38 AMconst accountId: Promise<string>
Argument of type 'Promise<string>' is not assignable to parameter of type 'string | number'.
Type 'Promise<string>' is not assignable to type 'number'.ts(2345)
Okta_Default_Roles.ts(18, 34): Did you forget to use 'await'?
damp-school-17708
05/14/2021, 8:51 AMconst sqsQueueUrl = interpolate`<https://sqs>.${region}.<http://amazonaws.com/${accountId}/link-medmeme-migration-sqs-${env}|amazonaws.com/${accountId}/link-medmeme-migration-sqs-${env}>`
red-football-97286
05/14/2021, 8:53 AMexport function setPolicyDocument(accountId: any): string {
return `{
\"Version\":\"2012-10-17\",
\"Statement\": [
{
\"Effect\":\"Allow\",
\"Principal\":{
\"Federated\":\"arn:aws:iam::${accountId}:saml-provider/sgn.okta-emea.com\"
},
\"Action\":\"sts:AssumeRoleWithSAML\",
\"Condition\": {
\"StringEquals\":{
\"SAML:aud\":\"<https://signin.aws.amazon.com/saml>\"
}
}
}
]
}`;
}
any
just trying to get it to work first!damp-school-17708
05/14/2021, 9:02 AMaccessPolicies: pulumi.interpolate`{
"Statement": [
{
"Action": "es:*",
"Effect": "Allow",
"Principal": { "AWS": "${this.cognito.authenticatedRole.arn}" },
"Resource": "arn:aws:es:${region}:${accountId}:domain/link-${env}-*/*"
}
],
"Version": "2012-10-17"
}`,
red-football-97286
05/14/2021, 9:10 AMpulumi:pulumi:Stack (Okta_AWS_Setup-dev):
error: Running program 'C:\SGN_Patterns\Okta_AWS_Setup\application' failed with an unhandled exception:
Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: could not validate provider configuration: 1 error occurred:
* Invalid or unknown key
damp-school-17708
05/14/2021, 9:58 AMconfig:
aws:region: us-east-1
Maybe is that?red-football-97286
05/14/2021, 10:01 AMlittle-cartoon-10569
05/16/2021, 9:07 PMaws.iam.PolicyDocument
class that creates the JSON for you. You don't need to do anything special, sometimes you can even avoid interpolation:
new aws.iam.Policy(name, {
policy: {
Version: "2012-10-17",
Statement": [
{
Effect: "Allow",
"Principal": { "AWS": this.cognito.authenticatedRole.arn },
"Resource": pulumi.interpololate`arn:aws:es:${region}:${accountId}:domain/link-${env}-*/*`
}
]
} as aws.iam.PolicyDocument
// ...
}
red-football-97286
05/17/2021, 9:26 AMcolossal-australia-65039
05/17/2021, 8:15 PMas aws.iam.PolicyDocument
casting since it removes type-safety in this scenario and is not necessary for it to compilelittle-cartoon-10569
05/17/2021, 8:28 PM