faint-balloon-33174
02/03/2023, 3:39 PMminiature-musician-31262
02/03/2023, 8:59 PMfaint-balloon-33174
02/03/2023, 9:01 PMaws:assumeRole:
roleArn: arn:aws:iam::rest-of-role-arn
sessionName: infra-deploy-session-staging
and it correctly assumes the role when deploying. But if I remove it, it continues to assume the role on subsequent deploys.aws:assumeRole
set it deploys as my IAM user without assuming any role as expected.miniature-musician-31262
02/03/2023, 9:04 PMfaint-balloon-33174
02/03/2023, 9:05 PMminiature-musician-31262
02/03/2023, 9:06 PMassumeRole
option myself, so I’ll have to poke a bit also. You’re right that this does seem odd though. Which backend are you using?faint-balloon-33174
02/03/2023, 9:08 PMminiature-musician-31262
02/03/2023, 9:14 PMfaint-balloon-33174
02/03/2023, 9:15 PMminiature-musician-31262
02/03/2023, 9:16 PMfaint-balloon-33174
02/03/2023, 9:18 PMminiature-musician-31262
02/03/2023, 10:08 PMaws
provider version 5.x. Which version are you using?--refresh
as part of the update would be good to know, too.faint-balloon-33174
02/03/2023, 10:28 PM@pulumi/pulumi@npm:3.53.1
@pulumi/aws@npm:5.28.0
CLI v3.53.1
miniature-musician-31262
02/03/2023, 10:39 PMfaint-balloon-33174
02/03/2023, 10:40 PMminiature-musician-31262
02/03/2023, 10:43 PMassumeRole
block immediately stops using it when I run pulumi up
and then falls back to the role I’ve configured at ~/.aws/credentials
for example.getCallerIdentity
in code somehow, or?faint-balloon-33174
02/03/2023, 10:50 PMminiature-musician-31262
02/03/2023, 10:51 PMfaint-balloon-33174
02/03/2023, 10:53 PMError deleting IAM role policy api-task-####:policy-name-####: AccessDenied: User: arn:aws:sts::####:assumed-role/the-role-in-question is not authorized to perform: iam:DeleteRolePolicy on resource: role api-task-#### because no identity-based policy allows the iam:DeleteRolePolicy action
miniature-musician-31262
02/03/2023, 10:58 PMfaint-balloon-33174
02/03/2023, 10:58 PMminiature-musician-31262
02/03/2023, 11:00 PMaws.getCallerIdentity().then(identity => console.log(identity.arn));
assumeRole
block in your stack config.faint-balloon-33174
02/03/2023, 11:05 PMminiature-musician-31262
02/03/2023, 11:06 PMfaint-balloon-33174
02/03/2023, 11:08 PMminiature-musician-31262
02/03/2023, 11:09 PMroleArn
in your stack config, the AccessDenied
error you get back quotes that ARN and not the original one. Right?faint-balloon-33174
02/03/2023, 11:34 PMassumeRole
they deploy with my user, not the roleminiature-musician-31262
02/03/2023, 11:43 PMpulumi refresh
with the assumeRole
bit commented out again.faint-balloon-33174
02/03/2023, 11:46 PMminiature-musician-31262
02/03/2023, 11:47 PMfaint-balloon-33174
02/03/2023, 11:47 PMminiature-musician-31262
02/03/2023, 11:47 PMfaint-balloon-33174
02/03/2023, 11:50 PMminiature-musician-31262
02/03/2023, 11:50 PM