wide-account-87747
01/20/2023, 12:00 AMpulumi up
at the preview stage:
aws:lambda:Function (PROJECT-exec-role):
error: Preview failed: refreshing urn:pulumi:dev::PROJECT::aws:lambda/function:Function::PROJECT-exec-role: 1 error occurred:
* AccessDeniedException:
status code: 403, request id: 649a5d8a-83ac-4194-82b9-0b11a1309de7
I’ve confirmed that my AWS CLI credentials are current and valid, and can perform the needed action (updating the IAM role) with these credentials manually; and this error reads more as a 403 from Pulumi, not AWS. I’ve tried pulumi logout && pulumi login
to no avail.billowy-army-68599
01/20/2023, 12:21 AMwide-account-87747
01/20/2023, 12:22 AMbillowy-army-68599
01/20/2023, 4:04 AMwide-account-87747
01/20/2023, 4:34 AMpulumi preview
, despite receiving the above error. If I make any call using the AWS CLI it is immediately logged by iamlive.billowy-army-68599
01/20/2023, 4:43 AMwide-account-87747
01/20/2023, 4:44 AMbillowy-army-68599
01/20/2023, 5:08 AMwide-account-87747
01/20/2023, 5:15 AMUser: arn:aws:sts::DEVELOPMENT:assumed-role/AWSReservedSSO_IMPLEMENTER_ROLE/Nathaniel.Munk@cloudwave.com.au is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:ap-southeast-2:PRODUCTION:function:PROJECT-e6df74f because no resource-based policy allows the lambda:GetFunction action
billowy-army-68599
01/20/2023, 2:53 PMwide-account-87747
01/23/2023, 2:16 AMconfig:
aws:allowedAccountIds:
- "DEVELOPMENT"
aws:profile: Sandbox1
aws:region: ap-southeast-2
billowy-army-68599
01/23/2023, 3:08 PMwide-account-87747
01/23/2023, 10:40 PMbillowy-army-68599
01/23/2023, 11:30 PMsandbox
have?aws:profile: Sandbox1
wide-account-87747
01/23/2023, 11:31 PMbillowy-army-68599
01/23/2023, 11:31 PMwide-account-87747
01/23/2023, 11:32 PMbillowy-army-68599
01/23/2023, 11:33 PMarn:aws:lambda:ap-southeast-2:PRODUCTION:function:PROJECT-e6df74f
Perhaps this particular stack was already deployed to production once? If you check your stack state with pulumi stack export
you may see a reference to itwide-account-87747
01/23/2023, 11:36 PMpulumi stack export | grep PRODUCTION
is blankbillowy-army-68599
01/23/2023, 11:38 PMwide-account-87747
01/23/2023, 11:38 PMpulumi up -y
runs without issue.billowy-army-68599
01/23/2023, 11:40 PMaws sts get-caller-identity
• use something like IAM live to intercept the calls to the API https://github.com/iann0036/iamlivewide-account-87747
01/23/2023, 11:43 PMaws sts get-caller-identity
is as expected, the DEVELOPMENT role and account; but cloudtrail shows calls made from that role to the PRODUCTION account resourcesbillowy-army-68599
01/23/2023, 11:44 PMwide-account-87747
01/23/2023, 11:44 PM-v 9
(et. al.) but i was unable to find where it accesses the ARNs around the time it shows the calls to the providerbillowy-army-68599
01/23/2023, 11:46 PMpulumi up -v 9 --logtostderr
wide-account-87747
01/23/2023, 11:46 PMbillowy-army-68599
01/23/2023, 11:47 PMpulumi up -r
and it’ll recreate all the resourceswide-account-87747
01/23/2023, 11:47 PMpulumi stack export
but it’s worth a shot)billowy-army-68599
01/23/2023, 11:53 PMwide-account-87747
01/24/2023, 12:07 AMpulumi stack export
in the web UI, is there an API call to retrieve a specific checkpoint?billowy-army-68599
01/24/2023, 12:08 AMwide-account-87747
01/24/2023, 12:09 AM