This message was deleted.
# aws
s
This message was deleted.
b
thanks for the detailed write up. You indeed need to assume role using something like the AWS CLI to fix this. It's not necessarily a pulumi problem
l
Large posts like this can be posted in a thread, with the first post being just a summary. This is taking up a lot of space in the channel. Also, you can use Slack's "Create a code snippet" feature to highlight code and make it expandable.
b
if you have valid AWS credentials, you'd use
aws sts assume-role
to get temporary credentials for your prod role.
💯 1
l
It looks like the roles you've created allow codebulid to assume a role which then allows them to assume another role. Are you then assuming that role?
b
@billowy-army-68599 Thanks for the help! aws sts assume-role in the CodeBuild did indeed get the job done 🎉 This was the code in the CodeBuild buildspec.yaml
Copy code
- CREDENTIALS=$(aws sts assume-role --role-arn arn:aws:iam::${ProdAccountID}:role/${ProdRoleName} --role-session-name "codebuild-prod" --query "Credentials")
      - read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<<$( echo $CREDENTIALS | jq -r '"\(.AccessKeyId) \(.SecretAccessKey) \(.SessionToken)"' )
      - export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
      - export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
      - export AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN
@little-cartoon-10569 Good point, I will do that next time. And yes, CodeBuild is assuming a role in its own account that allows it to assume a role in another account, I believe it's called role chaining.