sparse-intern-71089
01/20/2023, 12:00 AMbillowy-army-68599
wide-account-87747
01/20/2023, 12:22 AMwide-account-87747
01/20/2023, 12:33 AMbillowy-army-68599
wide-account-87747
01/20/2023, 4:34 AMpulumi preview
, despite receiving the above error. If I make any call using the AWS CLI it is immediately logged by iamlive.billowy-army-68599
wide-account-87747
01/20/2023, 4:44 AMwide-account-87747
01/20/2023, 4:44 AMbillowy-army-68599
wide-account-87747
01/20/2023, 5:15 AMwide-account-87747
01/20/2023, 5:31 AMwide-account-87747
01/20/2023, 5:33 AMwide-account-87747
01/20/2023, 5:35 AMUser: arn:aws:sts::DEVELOPMENT:assumed-role/AWSReservedSSO_IMPLEMENTER_ROLE/Nathaniel.Munk@cloudwave.com.au is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:ap-southeast-2:PRODUCTION:function:PROJECT-e6df74f because no resource-based policy allows the lambda:GetFunction action
billowy-army-68599
wide-account-87747
01/23/2023, 2:16 AMconfig:
aws:allowedAccountIds:
- "DEVELOPMENT"
aws:profile: Sandbox1
aws:region: ap-southeast-2
wide-account-87747
01/23/2023, 2:18 AMbillowy-army-68599
wide-account-87747
01/23/2023, 10:40 PMwide-account-87747
01/23/2023, 10:41 PMbillowy-army-68599
sandbox
have?billowy-army-68599
billowy-army-68599
aws:profile: Sandbox1
wide-account-87747
01/23/2023, 11:31 PMbillowy-army-68599
wide-account-87747
01/23/2023, 11:32 PMbillowy-army-68599
arn:aws:lambda:ap-southeast-2:PRODUCTION:function:PROJECT-e6df74f
Perhaps this particular stack was already deployed to production once? If you check your stack state with pulumi stack export
you may see a reference to itwide-account-87747
01/23/2023, 11:36 PMpulumi stack export | grep PRODUCTION
is blankwide-account-87747
01/23/2023, 11:36 PMbillowy-army-68599
wide-account-87747
01/23/2023, 11:38 PMwide-account-87747
01/23/2023, 11:38 PMwide-account-87747
01/23/2023, 11:39 PMpulumi up -y
runs without issue.billowy-army-68599
aws sts get-caller-identity
• use something like IAM live to intercept the calls to the API https://github.com/iann0036/iamlivewide-account-87747
01/23/2023, 11:43 PMaws sts get-caller-identity
is as expected, the DEVELOPMENT role and account; but cloudtrail shows calls made from that role to the PRODUCTION account resourceswide-account-87747
01/23/2023, 11:43 PMwide-account-87747
01/23/2023, 11:43 PMbillowy-army-68599
wide-account-87747
01/23/2023, 11:44 PMwide-account-87747
01/23/2023, 11:45 PM-v 9
(et. al.) but i was unable to find where it accesses the ARNs around the time it shows the calls to the providerbillowy-army-68599
pulumi up -v 9 --logtostderr
wide-account-87747
01/23/2023, 11:46 PMbillowy-army-68599
pulumi up -r
and it’ll recreate all the resourceswide-account-87747
01/23/2023, 11:47 PMwide-account-87747
01/23/2023, 11:48 PMwide-account-87747
01/23/2023, 11:49 PMwide-account-87747
01/23/2023, 11:52 PMwide-account-87747
01/23/2023, 11:52 PMpulumi stack export
but it’s worth a shot)billowy-army-68599
wide-account-87747
01/24/2023, 12:07 AMpulumi stack export
in the web UI, is there an API call to retrieve a specific checkpoint?billowy-army-68599
wide-account-87747
01/24/2023, 12:09 AM