Hi, does anyone have any tips how I can dynamicall...
# typescriptr
red-football-97286
05/14/2021, 8:23 AMHi, does anyone have any tips how I can dynamically get the AWS account ID and pass it to a function to use to generate a JSON snippet?
d
damp-school-17708
05/14/2021, 8:30 AMInside a pulumi script or elsewhere? In Typescript we do:
Copy code
import * as aws from '@pulumi/aws'
const current = aws.getCallerIdentity({})
const accountId = current.then((current) => current.accountId)👍 1
damp-school-17708
05/14/2021, 8:30 AMin lambdas we do:
Copy code
import { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts'
const client = new STSClient({ region })
const { Account: accountId } = await client.send(new GetCallerIdentityCommand({}))r
red-football-97286
05/14/2021, 8:38 AMSorry, in pulumi. I've tried the top one, but it returns a Promise<string>, so when I pass it to the function and run pulumi up, I get [Promise: Object] instead of the account number...
red-football-97286
05/14/2021, 8:42 AM Copy code
const accountId: Promise<string>
Argument of type 'Promise<string>' is not assignable to parameter of type 'string | number'.
Type 'Promise<string>' is not assignable to type 'number'.ts(2345)
Okta_Default_Roles.ts(18, 34): Did you forget to use 'await'?d
damp-school-17708
05/14/2021, 8:51 AMoh yes we then use interpolation
Copy code
const sqsQueueUrl = interpolate`<https://sqs>.${region}.<http://amazonaws.com/${accountId}/link-medmeme-migration-sqs-${env}|amazonaws.com/${accountId}/link-medmeme-migration-sqs-${env}>`r
red-football-97286
05/14/2021, 8:53 AMThis is the separate function that account id is passed to:
Copy code
export function setPolicyDocument(accountId: any): string {
return `{
\"Version\":\"2012-10-17\",
\"Statement\": [
{
\"Effect\":\"Allow\",
\"Principal\":{
\"Federated\":\"arn:aws:iam::${accountId}:saml-provider/sgn.okta-emea.com\"
},
\"Action\":\"sts:AssumeRoleWithSAML\",
\"Condition\": {
\"StringEquals\":{
\"SAML:aud\":\"<https://signin.aws.amazon.com/saml>\"
}
}
}
]
}`;
}red-football-97286
05/14/2021, 8:53 AMI'm changing the
anyd
damp-school-17708
05/14/2021, 9:02 AMyep we do something similar, but use interpolate which resolves promises
Copy code
accessPolicies: pulumi.interpolate`{
"Statement": [
{
"Action": "es:*",
"Effect": "Allow",
"Principal": { "AWS": "${this.cognito.authenticatedRole.arn}" },
"Resource": "arn:aws:es:${region}:${accountId}:domain/link-${env}-*/*"
}
],
"Version": "2012-10-17"
}`,r
red-football-97286
05/14/2021, 9:10 AMkeep getting this error, @damp-school-17708
Copy code
pulumi:pulumi:Stack (Okta_AWS_Setup-dev):
error: Running program 'C:\SGN_Patterns\Okta_AWS_Setup\application' failed with an unhandled exception:
Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: could not validate provider configuration: 1 error occurred:
* Invalid or unknown keyd
damp-school-17708
05/14/2021, 9:58 AMWe do have a section in our Pulumi configs
Copy code
config:
aws:region: us-east-1damp-school-17708
05/14/2021, 9:58 AMI assume btw you use aws, I have no idea on other cloud providers
r
red-football-97286
05/14/2021, 10:01 AMI am using AWS. Think i've sorted it. As per normal it was something simple, I had double quotes inside my pulumi.<stack>.yaml file.
But the pulumi.interpolate also helped 🙂
Thank you kindly for your help.
l
little-cartoon-10569
05/16/2021, 9:07 PMAside: there is the
aws.iam.PolicyDocument Copy code
new aws.iam.Policy(name, {
policy: {
Version: "2012-10-17",
Statement": [
{
Effect: "Allow",
"Principal": { "AWS": this.cognito.authenticatedRole.arn },
"Resource": pulumi.interpololate`arn:aws:es:${region}:${accountId}:domain/link-${env}-*/*`
}
]
} as aws.iam.PolicyDocument
// ...
}r
red-football-97286
05/17/2021, 9:26 AMThat looks cleaner, thank you @little-cartoon-10569
c
colossal-australia-65039
05/17/2021, 8:15 PMi would remove the
as aws.iam.PolicyDocumentl
little-cartoon-10569
05/17/2021, 8:28 PMYes, it was added to show where the class is in the code. It's best not to have it.