https://pulumi.com logo
Powered by
Title
t

thousands-engineer-52020

11/16/2022, 8:07 AM
Hi, do you know how to set the assuming role when using automation api to deploy ressources on AWS assuming account ? This does not work (does not take to account this info) : 
stack.set_config("roleToAssumeARN", auto.ConfigValue(value="arn:aws:iam::11111111:role/myrole"))
I've found a way to do it, but is there a "default" way instead of using an "explicit" one : 
assumerole = aws.Provider("aviatrixrole", 
                                region="eu-west-1",
                               assume_role=aws.ProviderAssumeRoleArgs(role_arn="arn:aws:iam::1111111:role/myrole"))

    site_bucket = s3.Bucket("s3-website-bucket", 
                            website=s3.BucketWebsiteArgs(index_document="index.html"), 
                            opts=pulumi.ResourceOptions(provider=assumerole))
b

brave-planet-10645

11/16/2022, 10:35 AM
There’s an 
assumeRole
config setting you can use for default providers: https://www.pulumi.com/registry/packages/aws/installation-configuration/#configuration-options
t

thousands-engineer-52020

11/16/2022, 10:42 AM
this 
stack.set_config("assumeRole.roleArn", auto.ConfigValue(value="arn:aws:iam::11111:role/myrole"))
doesn't work either. It still create my S3 bucket on my current account
b

brave-planet-10645

11/16/2022, 10:45 AM
it needs to be 
stack.set_config("aws:assumeRole.roleArn", auto.ConfigValue(value="arn:aws:iam::11111:role/myrole"))
(note the 
aws
in front of the 
assumeRole
)
t

thousands-engineer-52020

11/16/2022, 10:50 AM
You're right. Strange, because pulumi generate errors : 
pulumi:pulumi:Stack inline_s3_project-dev running
    aws:s3:Bucket s3-website-bucket  error: could not validate provider configuration: 1 error occurred:
    pulumi:pulumi:Stack inline_s3_project-dev
    aws:s3:Bucket s3-website-bucket **failed** 1 error

Diagnostics:
  aws:s3:Bucket (s3-website-bucket):
    error: could not validate provider configuration: 1 error occurred:
    	* Invalid or unknown key
b

brave-planet-10645

11/16/2022, 10:51 AM
is that what you’re getting with the 
aws
in front?
t

thousands-engineer-52020

11/16/2022, 10:52 AM
Yes
Without 
stack.set_config("aws:assumeRole.roleArn", auto.ConfigValue(value="arn:aws:iam::11111768:role/myrole"))
it work great (but not on the proper account)
b

brave-planet-10645

11/16/2022, 11:09 AM
I think you might need to set the 
externalId
and the 
sessionId
names in the config as well if you’re using assumeRole (not 100% sure on this, but worth a try) - that might be why you’re getting that error).
Without 
stack.set_config("aws:assumeRole.roleArn", auto.ConfigValue(value="arn:aws:iam::11111768:role/myrole"))
it work great (but not on the proper account)
This is because the provider is ignoring the setting
it’s not actually using the role at all
t

thousands-engineer-52020

11/16/2022, 2:15 PM
@brave-planet-10645 it's expected or a bug ?
b

brave-planet-10645

11/16/2022, 2:16 PM
what, for the default provider to ignore it without the 
aws
at the beginning? It’s expected: https://www.pulumi.com/docs/intro/concepts/config/#configuration-keys
t

thousands-engineer-52020

11/16/2022, 2:50 PM
I've set the 
aws:
in prefix, but pulumi crash when I set this config value
a

ambitious-rocket-23091

11/16/2022, 7:52 PM
stack.set_config(
            "aws:assumeRole",
            auto.ConfigValue(
                json.dumps(
                    {
                        "roleArn": "arn:aws:iam::11111111111:role/myrole",
                        "sessionName": "session-assume-myrole",
                    }
                )
            ),
        )
I can't remember where I found this, but I did it this way and it worked.
17 Views
#automation-apiJoin Slack
Powered by