wide-account-87747
01/20/2023, 12:00 AMpulumi up
at the preview stage:
aws:lambda:Function (PROJECT-exec-role):
error: Preview failed: refreshing urn:pulumi:dev::PROJECT::aws:lambda/function:Function::PROJECT-exec-role: 1 error occurred:
* AccessDeniedException:
status code: 403, request id: 649a5d8a-83ac-4194-82b9-0b11a1309de7
I’ve confirmed that my AWS CLI credentials are current and valid, and can perform the needed action (updating the IAM role) with these credentials manually; and this error reads more as a 403 from Pulumi, not AWS. I’ve tried pulumi logout && pulumi login
to no avail.billowy-army-68599
wide-account-87747
01/20/2023, 12:22 AMwide-account-87747
01/20/2023, 12:33 AMbillowy-army-68599
wide-account-87747
01/20/2023, 4:34 AMpulumi preview
, despite receiving the above error. If I make any call using the AWS CLI it is immediately logged by iamlive.billowy-army-68599
wide-account-87747
01/20/2023, 4:44 AMwide-account-87747
01/20/2023, 4:44 AMbillowy-army-68599
wide-account-87747
01/20/2023, 5:15 AMwide-account-87747
01/20/2023, 5:31 AMwide-account-87747
01/20/2023, 5:33 AMwide-account-87747
01/20/2023, 5:35 AMUser: arn:aws:sts::DEVELOPMENT:assumed-role/AWSReservedSSO_IMPLEMENTER_ROLE/Nathaniel.Munk@cloudwave.com.au is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:ap-southeast-2:PRODUCTION:function:PROJECT-e6df74f because no resource-based policy allows the lambda:GetFunction action
billowy-army-68599
wide-account-87747
01/23/2023, 2:16 AMconfig:
aws:allowedAccountIds:
- "DEVELOPMENT"
aws:profile: Sandbox1
aws:region: ap-southeast-2
wide-account-87747
01/23/2023, 2:18 AMbillowy-army-68599
wide-account-87747
01/23/2023, 10:40 PMwide-account-87747
01/23/2023, 10:41 PMbillowy-army-68599
sandbox
have?billowy-army-68599
billowy-army-68599
aws:profile: Sandbox1
wide-account-87747
01/23/2023, 11:31 PMbillowy-army-68599
wide-account-87747
01/23/2023, 11:32 PMbillowy-army-68599
arn:aws:lambda:ap-southeast-2:PRODUCTION:function:PROJECT-e6df74f
Perhaps this particular stack was already deployed to production once? If you check your stack state with pulumi stack export
you may see a reference to itwide-account-87747
01/23/2023, 11:36 PMpulumi stack export | grep PRODUCTION
is blankwide-account-87747
01/23/2023, 11:36 PMbillowy-army-68599
wide-account-87747
01/23/2023, 11:38 PMwide-account-87747
01/23/2023, 11:38 PMwide-account-87747
01/23/2023, 11:39 PMpulumi up -y
runs without issue.billowy-army-68599
aws sts get-caller-identity
• use something like IAM live to intercept the calls to the API https://github.com/iann0036/iamlivewide-account-87747
01/23/2023, 11:43 PMaws sts get-caller-identity
is as expected, the DEVELOPMENT role and account; but cloudtrail shows calls made from that role to the PRODUCTION account resourceswide-account-87747
01/23/2023, 11:43 PMwide-account-87747
01/23/2023, 11:43 PMbillowy-army-68599
wide-account-87747
01/23/2023, 11:44 PMwide-account-87747
01/23/2023, 11:45 PM-v 9
(et. al.) but i was unable to find where it accesses the ARNs around the time it shows the calls to the providerbillowy-army-68599
pulumi up -v 9 --logtostderr
wide-account-87747
01/23/2023, 11:46 PMbillowy-army-68599
pulumi up -r
and it’ll recreate all the resourceswide-account-87747
01/23/2023, 11:47 PMwide-account-87747
01/23/2023, 11:48 PMwide-account-87747
01/23/2023, 11:49 PMwide-account-87747
01/23/2023, 11:52 PMwide-account-87747
01/23/2023, 11:52 PMpulumi stack export
but it’s worth a shot)billowy-army-68599
wide-account-87747
01/24/2023, 12:07 AMpulumi stack export
in the web UI, is there an API call to retrieve a specific checkpoint?billowy-army-68599
wide-account-87747
01/24/2023, 12:09 AM