wave skin tone 2 hey folks it me again I am currently deali Pulumi Community #aws

:wave::skin-tone-2: hey folks, it me again. I am c...

millions-planet-24262

06/16/2025, 5:56 AM

👋🏻 hey folks, it me again. I am currently dealing with multiple AWS accounts. I am curious if Pulumi supports IAM role chaining using `aws.Provider`:

Copy code

export const provider1 =
  new aws.Provider('provider-1', {
    assumeRole: { roleArn: 'arn:aws:iam::123456789012:role/Role1' },
    region: aws.Region.APSoutheast2,
  });

export const provider2 =
  new aws.Provider('provider-2', {
    assumeRole: { roleArn: 'arn:aws:iam::999999999999:role/Role2' },
    region: aws.Region.APSoutheast2,
  }, { provider: provider1 });

what I want to achieve is when

provider2

tries to assume

Role2

it uses

Role1

from

provider1

, but that doesn't seem to work that way. Am I missing something?

little-cartoon-10569

06/16/2025, 6:50 AM

As far as I understand it, role chaining in this direction (where you specify the role to use to assume another role) is explicitly not supported by the underlying SDK. Instead, role chaining via the standard SDKs works the opposite way, where a role specifies which other role is used when assuming it. https://docs.aws.amazon.com/sdkref/latest/guide/feature-assume-role-credentials.html I wouldn't be surprised if this changes soon though, since it's now possible to "forward" chain through the console.

millions-planet-24262

06/16/2025, 6:55 AM

Thanks Paul. I felt this was the case.

millions-planet-24262

06/16/2025, 7:11 AM

Do you have any idea or examples of how can I achieve hoping between accounts like this? Where I start from Account A in my CI, then hop into Account B and from there hop into Account C as needed?

little-cartoon-10569

06/16/2025, 7:48 AM

Separate providers. You can set up profiles for each one dependent on the previous if you want, or just have un-assuming ( ;) ) providers in the normal way.

millions-planet-24262

06/16/2025, 7:50 AM

Right. Thanks. Let me meditate on this for a bit. Appreciate your input!

numerous-book-75463

06/16/2025, 12:06 PM

We'll be adding support for role chaining in the next major version (v7) https://github.com/pulumi/pulumi-aws/issues/4459. It will allow you to do something like this

Copy code

const provider = new aws.Provider("provider", {
    // Users role will assume `baseRole` and then `baseRole` will assume `secondRole` which will provision the resources
    assumeRoles: [
        {roleArn: baseRole.arn},
        {roleArn: secondRole.arn}
    ],
});

millions-planet-24262

06/16/2025, 11:56 PM

This is awesome! Thank you Cory! Where can I follow along with the release schedule, so I can start testing things ASAP?

numerous-book-75463

06/23/2025, 12:33 PM

We just released the first v7-alpha release on Friday https://github.com/pulumi/pulumi-aws/releases/tag/v7.0.0-alpha.1. Would love any feedback you can provide!

millions-planet-24262

06/23/2025, 11:46 PM

That's awesome. I will hopefully get some time end of this week / start of next week to play with this. Thanks much!

millions-planet-24262

07/30/2025, 7:01 AM

👋🏻 took way longer than I expected, due to some priorities that changed on my end, but I finally got around to upgrading our Pulumi apps to AWS Provider v7 and was able to successfully chain the roles and simplify greatly our set up. Thank you very much for making this happen, it made my life so much easier! 🙇🏻‍♂️

🎉 1

numerous-book-75463

07/30/2025, 11:56 AM

Nice! Thanks for the feedback 🙏

👍🏻 1

Open in Slack

Previous Next