brainy-furniture-43093
03/10/2022, 10:46 PMCodeBuildProdRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${ProjectName}-codepipeline-deploy-prod-role
Description: CodePipeline role to deploy dev artifacts and infrastructure changes to production
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${DevAccountId}:role/${ProjectName}-codepipeline-deploy-prod-role
Action: sts:AssumeRole
Path: /
Policies:
- PolicyName: !Sub ${ProjectName}-codepipeline-deploy-prod-role-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Resource: !Sub arn:aws:iam::${DevAccountId}:role/${ProjectName}-codepipeline-deploy-prod-role
Action: sts:AssumeRole
- Effect: Allow
Action:
- s3:*
Resource:
- arn:aws:s3:::PROD s3 bucket for Pulumi state
- arn:aws:s3:::PROD s3 bucket for Pulumi state/*
...
DEV account:
CodeBuildProdRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${ProjectName}-codepipeline-deploy-prod-role
Description: CodePipeline role to deploy dev artifacts and infrastructure changes to production
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: <http://codebuild.amazonaws.com|codebuild.amazonaws.com>
Action:
- sts:AssumeRole
Policies:
- PolicyName: !Sub ${ProjectName}-codepipeline-deploy-prod-role-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: sts:AssumeRole
# The role I want to assume from the PROD account
Resource: !Sub arn:aws:iam::${ProdAccountId}:role/${ProjectName}-codepipeline-deploy-prod-role
...
When I run Pulumi login (PROD s3 bucket for Pulumi state) I get this access denied error
[Container] 2022/03/10 20:58:23 Running command pulumi login s3://(PROD s3 bucket for Pulumi state)
Logged in to (id) as root (s3://(PROD s3 bucket for Pulumi state))
[Container] 2022/03/10 20:58:23 Running command pulumi stack select prod
error: failed to load checkpoint: blob (key ".pulumi/stacks/prod.json") (code=Unknown): AccessDenied: Access Denied
I would imagine I need to do the equivalent of export AWS_PROFILE="PROD"
which I do in my terminal to switch account for my user, but I would like to do this for a role. I would rather not start generating credentials on the fly and dynamically populate them as environment variables into CodeBuild. So is there a way I can tell Pulumi to assume a certain role in another account if the role it is currently using is the Principal to the role I want it to use, also making sure it modifies resources in the PROD account although it is running in the DEV account?
Any help is much appreciated.
Thank you!
Adobillowy-army-68599
little-cartoon-10569
03/10/2022, 10:51 PMbillowy-army-68599
aws sts assume-role
to get temporary credentials for your prod role.little-cartoon-10569
03/10/2022, 10:51 PMbrainy-furniture-43093
03/11/2022, 1:24 AM- CREDENTIALS=$(aws sts assume-role --role-arn arn:aws:iam::${ProdAccountID}:role/${ProdRoleName} --role-session-name "codebuild-prod" --query "Credentials")
- read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<<$( echo $CREDENTIALS | jq -r '"\(.AccessKeyId) \(.SecretAccessKey) \(.SessionToken)"' )
- export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
- export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
- export AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN