https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# aws
s
This message was deleted.
f
Copy code
# Create new subaccount
new_account = organizations.Account(
    client_name,
    email=email,
    close_on_deletion=True,
    role_name=role_name,
    name=client_name,
    iam_user_access_to_billing="ALLOW",
)

account_id = ""
while not account_id:
    # This is how we get the ID of 'new_account'
    organization = organizations.get_organization()
    for account in organization.accounts:
        if account.name == client_name:
            account_id = str(account.id)

# Intermediate provider that will assume admin role on the newly created account
iam_role_provider = Provider(
    resource_name="admin-provider",
    profile="mf",
    assume_role={"role_arn": f"arn:aws:iam::{account_id}:role/{role_name}"},
    skip_metadata_api_check=False,
    skip_credentials_validation=True,
)

# Create new S3 bucket
bucket = s3.Bucket(
    client_name,
    acl="private",
    versioning=s3.BucketVersioningArgs(
        enabled=True,
    ),
    bucket=client_name,
    opts=ResourceOptions(provider=iam_role_provider),
)

iam_for_lambda = iam.Role(
    "iamForLambda",
    assume_role_policy="""{
"Version": "2012-10-17",
"Statement": [
    {
    "Action": "sts:AssumeRole",
    "Principal": {
        "Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"
    },
    "Effect": "Allow",
    "Sid": ""
    }
]
}
""",
    opts=ResourceOptions(provider=iam_role_provider),
)

# This is the lambda function we will deploy
lambda_function = lambda_.Function(
    resource_name=lambda_name,
    name=lambda_name,
    code=FileArchive("package/"),
    handler="XXXX",
    runtime=lambda_runtime,
    layers=get_latest_layers(
        [
            "XXXX",
        ]
    ),
    role=iam_for_lambda.arn,
    opts=ResourceOptions(provider=iam_role_provider),
)
Just to add some more context here. The provider I created, is able to create s3 buckets and other resources, but it only fails when trying to create a lambda. I tried assuming a role and using the AWS keys with aws CLI and there I was also able to create a lambda!! The issue is only happening when using pulumi and when running it via Pulumi Deployment API
Sending this to the channel too in case anyone has gone through this. Basically I was able to solve the issue, and was nothing related to Pulumi but with a lambda layer version lacking permissions to be accessed from other accounts in the organization. I was able to see the error message by creating a Cloudtrail instance and see the logs of the API calls. From Pulumi I was just getting an AccessDeniedException, would be nice to get better error messages from AWS CLI so it can be added to Pulumi as well.
2 Views
Open in Slack
PreviousNext
Powered by