Hi Everyone. Quick question regarding the aws:allowedAccountIds config setting - I've noticed that even with using this setting, there are cases where I've accidentally connected to the wrong AWS account, which has caused all sorts of issues where the stack then references resources in two different accounts. From there, I get a bunch of access denied errors, which makes sense because I'm connected to one AWS account but referencing another. Am I missing something here? What I was hoping for is that pulumi would stop in it's tracks as soon as it finds that it is referencing a non-approved account. Is there a better setting to use to achieve this? Does

forbiddenAccountIds

work any differently?

I use this all the time and it works great. How are you setting the config value?

We have two different AWS accounts - one for prod, and one for dev/uat. So for each stack, I'm setting:

config:
  aws:allowedAccountIds:
    - XXXXXXXXXXX

to only allow deploys to the correct account.

Do you use an explicit provider in your code? Are those the resources that end up in the wrong account?

Sorry for the delay. Yes, I am using a provider for all pulumi resources. We have a multi-region setup so all resources use a regional based provider for AWS.

providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" } }));

customOptionsByRegion[region] = new CustomResourceOptions() { Provider = providerByRegion[region], Parent = providerByRegion[region] };

vpcByRegion[region] = new Vpc($"{region.Id()}-vpc", new()
                {
                    CidrBlock = CidrBlock.Cidr(),
                    EnableDnsHostnames = true,
                    EnableDnsSupport = true,
                }, customOptionsByRegion[region]);

You need to add the allowed account ids to that provider as well then, in that case

Ohh okay. So if i add something like this to the yaml config file..?

config:
  aws:allowedAccountIds:
    - XXXXXXXXXXX
  aws-use1:allowedAccountIds:
    - XXXXXXXXXXX
  aws-euc1:allowedAccountIds:
    - XXXXXXXXXXX

No you need to do it directly in your provider instantiation in your code

Sorry I'm not following you - I'm pretty new to Pulumi. Can you clarify what you mean? I need to add the

allowedAccountIds

setting directly to the provider?

So, you see how you’re setting the region in

Pulumi.Aws.ProviderArgs

? Another ProviderArg is

allowedAccountIds

Ooh I see.. So then something like this should do it (also untested code)..

var config = new Pulumi.Config("aws");
var allowedAccountIds = config.RequireObject<List<string>>("allowedAccountIds");
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { AllowedAccountIds = allowedAccountIds, Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" } }));

yep!

Awesome.. I'll give that a try tomorrow. Thank you very much @billowy-army-68599!