Hello. Would like to quickly run by you an issue ...
# aws
Hello. Would like to quickly run by you an issue with
pulumi refresh
i’ve come across when using explicit aws providers within a specific scenario. For context I am wanting to use explicit aws providers to enable easy cross account deployment of resources. Most deployments will be done via a github actions workflow, but we will occasionally be required to deploy from local machines too. The iam roles we use for deployments from github and local machines are not the same and so the provider’s
is changed based on the deployment environment. However running the
pulumi refresh
command locally if the previous deployment was made from github causes an access denied error, but running
pulumi up
does not give the same error and will simply deploy any changes. Was wondering if there’s a neat workaround i’ve not thought of to enable
pulumi refresh
in this scenario, something other than manually editing the the aws provider
in the backend state file after changing deployment environment?
Easiest is to always assume the same role for deployments. In this case, you may want to consider role chaining. Instead of allowing the role you assume from your local desktop to deploy stuff, allow it to assume the same role that the GitHub deployments use.