https://pulumi.com logo
Title
m

most-mouse-38002

02/13/2023, 10:28 AM
Using the code from this blog post (NOT pointing any fingers, just to be clear), and not being entirely sure what exactly has occurred (because I currently have no access at all) I get the same error almost everywhere in AWS right now. Can anyone share some insight as to whats going on?
user_X is not authorized to perform: iam:XXX on resource: resource_Y because no identity-based policy allows the iam:X action
o

orange-computer-56642

02/13/2023, 11:19 AM
did
user_X
have access before? if so, you maybe modified the policies for that user/role to be
ReadOnlyAccess
as in the blog post 🤷 in the blog post they're only doing
aws sts get-caller-identity
in the workflow so
ReadOnlyAccess
is enough
m

most-mouse-38002

02/13/2023, 11:43 AM
It’s a test account, so I added
AdministratorAccess
to make it easier while we tested. I just don’t understand why
pulumi down
would remove everything (for all users, not just the Pulumi user).
o

orange-computer-56642

02/13/2023, 11:49 AM
what's the pulumi program doing?
sounds scary 😐
m

most-mouse-38002

02/13/2023, 11:59 AM
Basically the exact same as in the example, except changing the role.
It did behave a bit odd, because I had to take it down because it tried to recreate the provider already existing instead of replacing it.
o

orange-computer-56642

02/13/2023, 12:02 PM
so you didn't create a new role but used an existing role instead? other users should only be affected if they're using the same role (federated sso role or smth) 🤔
m

most-mouse-38002

02/13/2023, 12:07 PM
I created a new role, and attached `AdministratorAccess`to it. Removing either should not remove the policy from everyone (I assumed).
o

orange-computer-56642

02/13/2023, 12:11 PM
to clarify, you mean the role that's called
secure-cloud-access
in the blog post?
m

most-mouse-38002

02/13/2023, 12:12 PM
Yes, that is correct.
o

orange-computer-56642

02/13/2023, 12:17 PM
well that's weird 😄 either there's a typo somewhere, some cached file was used or the planets are not aligned 🤷
m

most-mouse-38002

02/13/2023, 12:18 PM
I am going to try to reproduce it now, but even with a typo it should just have removed the assigned role for that user, not nuked every user in the account.
o

orange-computer-56642

02/13/2023, 12:20 PM
yeah it definitely shouldn't touch anything else than the role & policy attachment 😕
m

most-mouse-38002

02/13/2023, 12:21 PM
I have a new account now, I’ll try to reproduce.
Oh. I think I see whats going on here. https://www.pulumi.com/registry/packages/aws/api-docs/iam/policyattachment/
This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource.
o

orange-computer-56642

02/13/2023, 12:37 PM
ouch 😕
m

most-mouse-38002

02/13/2023, 12:37 PM
I’ll update with a comment under this thread in the main chat, just to make sure nobody panics.
o

orange-computer-56642

02/13/2023, 12:37 PM
so adminaccess was revoked from everyone?
m

most-mouse-38002

02/13/2023, 12:38 PM
I mean that is my assumption, it does say so in the docs and that is what happens with my test account and test users. And since this was just a test account as well, everyone was just given that policy to ease my burden.
o

orange-computer-56642

02/13/2023, 12:39 PM
yeah, so instead of a policyattachment you'd use the
managedPolicyArns
instead (sry dunno what the actual property name is in js/ts)
m

most-mouse-38002

02/13/2023, 12:40 PM
UserPolicyAttachment
seems like the one I want to use.
attach the policy to a specific user, and not mess with the entire account.