wave skin tone 2 hey folks it me again I am currently deali Pulumi Community #aws

:wave::skin-tone-2: hey folks, it me again. I am c...

millions-planet-24262

06/16/2025, 5:56 AM

👋🏻 hey folks, it me again. I am currently dealing with multiple AWS accounts. I am curious if Pulumi supports IAM role chaining using `aws.Provider`:

Copy code

export const provider1 =
  new aws.Provider('provider-1', {
    assumeRole: { roleArn: 'arn:aws:iam::123456789012:role/Role1' },
    region: aws.Region.APSoutheast2,
  });

export const provider2 =
  new aws.Provider('provider-2', {
    assumeRole: { roleArn: 'arn:aws:iam::999999999999:role/Role2' },
    region: aws.Region.APSoutheast2,
  }, { provider: provider1 });

what I want to achieve is when

provider2

tries to assume

Role2

it uses

Role1

from

provider1

, but that doesn't seem to work that way. Am I missing something?

little-cartoon-10569

06/16/2025, 6:50 AM

As far as I understand it, role chaining in this direction (where you specify the role to use to assume another role) is explicitly not supported by the underlying SDK. Instead, role chaining via the standard SDKs works the opposite way, where a role specifies which other role is used when assuming it. https://docs.aws.amazon.com/sdkref/latest/guide/feature-assume-role-credentials.html I wouldn't be surprised if this changes soon though, since it's now possible to "forward" chain through the console.

millions-planet-24262

06/16/2025, 6:55 AM

Thanks Paul. I felt this was the case.

millions-planet-24262

06/16/2025, 7:11 AM

Do you have any idea or examples of how can I achieve hoping between accounts like this? Where I start from Account A in my CI, then hop into Account B and from there hop into Account C as needed?

little-cartoon-10569

06/16/2025, 7:48 AM

Separate providers. You can set up profiles for each one dependent on the previous if you want, or just have un-assuming ( ;) ) providers in the normal way.

millions-planet-24262

06/16/2025, 7:50 AM

Right. Thanks. Let me meditate on this for a bit. Appreciate your input!

numerous-book-75463

06/16/2025, 12:06 PM

We'll be adding support for role chaining in the next major version (v7) https://github.com/pulumi/pulumi-aws/issues/4459. It will allow you to do something like this

Copy code

const provider = new aws.Provider("provider", {
    // Users role will assume `baseRole` and then `baseRole` will assume `secondRole` which will provision the resources
    assumeRoles: [
        {roleArn: baseRole.arn},
        {roleArn: secondRole.arn}
    ],
});

millions-planet-24262

06/16/2025, 11:56 PM

This is awesome! Thank you Cory! Where can I follow along with the release schedule, so I can start testing things ASAP?

numerous-book-75463

06/23/2025, 12:33 PM

We just released the first v7-alpha release on Friday https://github.com/pulumi/pulumi-aws/releases/tag/v7.0.0-alpha.1. Would love any feedback you can provide!

millions-planet-24262

06/23/2025, 11:46 PM

That's awesome. I will hopefully get some time end of this week / start of next week to play with this. Thanks much!

Open in Slack

Previous Next