This message was deleted.
# automation-api
s
This message was deleted.
c
imports here:
Copy code
from pulumi.automation import ConfigValue
from pulumi.automation import create_or_select_stack
from pulumi.automation import LocalWorkspaceOptions
from pulumi.automation import ProjectBackend
from pulumi.automation import ProjectRuntimeInfo
from pulumi.automation import ProjectSettings
from pulumi.automation import StackSettings
from pulumi.automation._stack import BaseResult
from pulumi_aws import s3
when I take out any
aws
namespace config settings, everything works fine when I run locally, and it appears to call the default provider
Copy code
Previewing update (eli-test):
+ pulumi:pulumi:Stack: (create)
    [urn=urn:pulumi:eli-test::my_project::pulumi:pulumi:Stack::my_project-eli-test]
    + aws:s3/bucket:Bucket: (create)
        [urn=urn:pulumi:eli-test::my_project::aws:s3/bucket:Bucket::bucket]
        [provider=urn:pulumi:eli-test::my_project::pulumi:providers:aws::default_4_37_2::04da6b54-80e4-46f7-96ec-b56ff0331ba9]
        acl         : "private"
        bucket      : "bucket-a25f88e"
        forceDestroy: false
Resources:
    + 2 to create
But in CI I need to be able to assume a role, so I was trying to use
Copy code
stack_config["aws:assumeRole"] = {
            "roleArn": ConfigValue(role_arn),
            "sessionName": ConfigValue(f"deploy {fully_qualified_stack_name}"),
        }
I'm using KMS as the secrets_provider if that makes any different
secrets_provider = f"awskms://{kms_key_id}"
pip freeze
results in my venv:
Copy code
Arpeggio==1.10.2
astroid==2.8.2
attrs==21.2.0
aws-lambda-typing==2.0.2
backports.entry-points-selectable==1.1.0
boto3==1.18.60
boto3-stubs==1.18.60
botocore==1.21.60
botocore-stubs==1.21.60
certifi==2021.10.8
cfgv==3.3.1
charset-normalizer==2.0.7
click==8.0.3
dill==0.3.4
distlib==0.3.3
filelock==3.3.0
grpcio==1.43.0
identify==2.3.0
idna==2.10
iniconfig==1.1.1
isort==5.9.3
jmespath==0.10.0
lark-parser==0.10.1
lazy-object-proxy==1.6.0
mccabe==0.6.1
mypy-boto3-lambda==1.18.60
mypy-boto3-s3==1.18.60
mypy-boto3-sts==1.18.60
nodeenv==1.6.0
packaging==21.0
parver==0.3.1
pep517==0.11.0
pip-tools==6.4.0
platformdirs==2.4.0
pluggy==1.0.0
pre-commit==2.15.0
protobuf==3.19.4
pulumi==3.24.1
pulumi-aws==4.37.2
py==1.10.0
pydantic==1.8.2
pyenchant==3.2.2
pylint==2.11.1
pyparsing==2.4.7
pytest==6.2.5
pytest-mock==3.5.1
pytest-pylint==0.18.0
pytest-randomly==3.6.0
python-dateutil==2.8.2
python-hcl2==3.0.1
python-on-whales==0.27.0
PyYAML==5.4.1
requests==2.26.0
s3transfer==0.5.0
semver==2.13.0
six==1.16.0
stdlib-utils==0.4.7
toml==0.10.2
tomli==1.2.1
tqdm==4.62.3
typer==0.4.0
types-requests==2.25.11
typing-extensions==3.10.0.2
urllib3==1.26.7
virtualenv==20.8.1
wrapt==1.12.1
l
This is not really an automation API specific question, but a question on using assume role for the AWS provider.
Here is a guide that shows doing this for a CLI-driven pulumi program: https://www.pulumi.com/registry/packages/aws/how-to-guides/aws-ts-assume-role/
It shouldn't be much different for automation API, will just need to ensure you set the appropriate environment variables and config values via the automation api methods.
c
Thanks for the tips. I had found that docs page previously, but didn't seem to help. I was able to hack a non-pulumi workaround by just using boto3 to export the role creds to environmental variables when running in CI. In case anyone else runs into the same issue
Copy code
session = boto3.Session()
        assumed_role_object = session.client("sts").assume_role(
            RoleArn=role_arn,
            RoleSessionName=f"deploy--{fully_qualified_stack_name.replace('/','--')}",
        )
        credentials = assumed_role_object["Credentials"]
        os.environ["AWS_ACCESS_KEY_ID"] = credentials["AccessKeyId"]
        os.environ["AWS_SECRET_ACCESS_KEY"] = credentials["SecretAccessKey"]
        os.environ["AWS_SESSION_TOKEN"] = credentials["SessionToken"]
        os.environ["AWS_DEFAULT_REGION"] = "us-east-1"