https://pulumi.com logo
Join Slack
Powered by
Hi, do you know how to set the assuming role when ...
# automation-api
t
Hi, do you know how to set the assuming role when using automation api to deploy ressources on AWS assuming account ? This does not work (does not take to account this info) : 
stack.set_config("roleToAssumeARN", auto.ConfigValue(value="arn:aws:iam::11111111:role/myrole"))
I've found a way to do it, but is there a "default" way instead of using an "explicit" one :
Copy code
assumerole = aws.Provider("aviatrixrole", 
                                region="eu-west-1",
                               assume_role=aws.ProviderAssumeRoleArgs(role_arn="arn:aws:iam::1111111:role/myrole"))

    site_bucket = s3.Bucket("s3-website-bucket", 
                            website=s3.BucketWebsiteArgs(index_document="index.html"), 
                            opts=pulumi.ResourceOptions(provider=assumerole))
b
There’s an 
assumeRole
config setting you can use for default providers: https://www.pulumi.com/registry/packages/aws/installation-configuration/#configuration-options
t
this 
stack.set_config("assumeRole.roleArn", auto.ConfigValue(value="arn:aws:iam::11111:role/myrole"))
doesn't work either. It still create my S3 bucket on my current account
b
it needs to be 
stack.set_config("aws:assumeRole.roleArn", auto.ConfigValue(value="arn:aws:iam::11111:role/myrole"))
(note the 
aws
in front of the 
assumeRole
)
t
You're right. Strange, because pulumi generate errors :
Copy code
pulumi:pulumi:Stack inline_s3_project-dev running
    aws:s3:Bucket s3-website-bucket  error: could not validate provider configuration: 1 error occurred:
    pulumi:pulumi:Stack inline_s3_project-dev
    aws:s3:Bucket s3-website-bucket **failed** 1 error

Diagnostics:
  aws:s3:Bucket (s3-website-bucket):
    error: could not validate provider configuration: 1 error occurred:
    	* Invalid or unknown key
b
is that what you’re getting with the 
aws
in front?
t
Yes
Without 
stack.set_config("aws:assumeRole.roleArn", auto.ConfigValue(value="arn:aws:iam::11111768:role/myrole"))
it work great (but not on the proper account)
b
I think you might need to set the 
externalId
and the 
sessionId
names in the config as well if you’re using assumeRole (not 100% sure on this, but worth a try) - that might be why you’re getting that error).
Without 
stack.set_config("aws:assumeRole.roleArn", auto.ConfigValue(value="arn:aws:iam::11111768:role/myrole"))
it work great (but not on the proper account)
This is because the provider is ignoring the setting
it’s not actually using the role at all
t
@brave-planet-10645 it's expected or a bug ?
b
what, for the default provider to ignore it without the 
aws
at the beginning? It’s expected: https://www.pulumi.com/docs/intro/concepts/config/#configuration-keys
t
I've set the 
aws:
in prefix, but pulumi crash when I set this config value
a
Copy code
stack.set_config(
            "aws:assumeRole",
            auto.ConfigValue(
                json.dumps(
                    {
                        "roleArn": "arn:aws:iam::11111111111:role/myrole",
                        "sessionName": "session-assume-myrole",
                    }
                )
            ),
        )
I can't remember where I found this, but I did it this way and it worked.
393 Views
Open in Slack
PreviousNext
Powered by