dry-journalist-60579
02/13/2023, 4:03 PMPulumi.yaml
(aws:assumeRole: '{"roleArn": "arn:aws:iam::xxx:role/service-role/AWSControlTowerAdmin"}'
).
I wrote a stack to loop over organization = aws.organizations.get_organization()
=> organization.accounts
. Within the loop over the organizations, I then use
role_arn = pulumi.Output.format(
"arn:aws:iam::{0}:role/AWSControlTowerExecution", account.id
)
# Create Provider to assume role
provider = aws.Provider(
f"Provider: {account.name}",
assume_role={
"roleArn": role_arn,
},
)
We’re using SSO, so to run this I got my aws cli ready by: aws configure sso
and logging in. Finally, I run AWS_PROFILE=my-profile pulumi preview
and it worked… from my gitpod instance. When I try to run it locally with the same set up I get:
Type Name Plan Info
+ pulumi:pulumi:Stack aws-admin-stack-aws-admin create
+ ├─ aws:iam:AccountPasswordPolicy AccountPasswordPolicy: management account create
+ ├─ aws:iam:Policy AllowSSOAdminsToAssumeAWSControlTowerAdmin create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ aws:iam:RolePolicyAttachment AllowSSOAdminsToAssumeAWSControlTowerAdminAttachment create
└─ aws:iam:AccountPasswordPolicy AccountPasswordPolicy: xxx 1 error
error: unable to validate AWS credentials.
Details: no valid credential sources for found.
Please see
for more information about providing credentials.
Error: failed to refresh cached credentials, operation error SSO: GetRoleCredentials, https response error StatusCode: 0, RequestID: , request send failed, Get "<https://portal.sso.us-east-1.amazonaws.com/federation/credentials?account_id=xxx&role_name=AWSAdministratorAccess>": dial tcp: lookup <http://portal.sso.us-east-1.amazonaws.com|portal.sso.us-east-1.amazonaws.com> on 192.168.1.1:53: read udp 192.168.1.104:61325->192.168.1.1:53: i/o timeout≈
Anyone have any clues?melodic-tomato-39005
02/13/2023, 5:27 PMdry-journalist-60579
02/13/2023, 5:38 PMmelodic-tomato-39005
02/13/2023, 5:39 PMdry-journalist-60579
02/13/2023, 5:40 PMv3.54.0
on both… so it’s not thatmelodic-tomato-39005
02/13/2023, 5:40 PMdry-journalist-60579
02/13/2023, 5:41 PMmelodic-tomato-39005
02/13/2023, 5:41 PMdry-journalist-60579
02/13/2023, 6:37 PMmelodic-tomato-39005
02/13/2023, 10:39 PMdry-journalist-60579
02/14/2023, 12:05 AMenv
~/.aws/config
files are identicalmelodic-tomato-39005
02/14/2023, 3:11 AMdry-journalist-60579
02/14/2023, 4:23 AM[profile xxx]
section there is also a [sso-session xxx]
section. The way the cli sets this up just doesn’t seem to work with pulumi up
. Rather, I have to manually go in and make sure it’s in the “legacy” format.
This is the error:
Exception: invoke of aws:iam/getRole:getRole failed: invocation of aws:iam/getRole:getRole returned an error: unable to validate AWS credentials.
Details: loading configuration: profile "<profile-name>" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
E.g. this works:
[profile <profile-name>]
sso_start_url = https://<subdomain>.<http://awsapps.com/start|awsapps.com/start>
sso_region = <region>
sso_account_id = <account-id>
sso_role_name = AWSAdmini<role-name>stratorAccess
region = <region>
output = json
and this doesn’t work:
[profile <profile-name>]
sso_session = <session-name>
sso_account_id = <account-id>
sso_role_name = <role-name>
region = <region>
output = json
[sso-session <session-name>]
sso_start_url = https://<subdomain>.<http://awsapps.com/start|awsapps.com/start>
sso_region = <region>
sso_registration_scopes = sso:account:access
billowy-army-68599
02/14/2023, 2:36 PMdry-journalist-60579
02/14/2023, 3:29 PM~/.aws/config
manually yields a configuration that works without needing something like https://github.com/jaxxstorm/aws-sso-credseval $(aws-sso-creds export)
Does it support something like:
AWS_PROFILE=my-profile aws-sso-creds pulumi up
billowy-army-68599
02/14/2023, 3:33 PM-p
flag - i haven’t considered creating an execution mechanism, but that’s an interesting ideadry-journalist-60579
02/14/2023, 3:47 PMalert-cartoon-12389
04/26/2023, 11:43 PMdry-journalist-60579
04/26/2023, 11:49 PMalert-cartoon-12389
04/26/2023, 11:51 PMdry-journalist-60579
04/26/2023, 11:52 PMalert-cartoon-12389
04/26/2023, 11:53 PMerror: Preview failed: unable to validate AWS credentials.
Details: no valid credential sources for Pulumi AWS Classic found.
AWS_PROFILE=my-profile pulumi up
But when I try to do pulumi up only it gives me this errordry-journalist-60579
04/26/2023, 11:55 PMalert-cartoon-12389
04/26/2023, 11:57 PMdry-journalist-60579
04/26/2023, 11:59 PMalert-cartoon-12389
04/27/2023, 12:00 AMdry-journalist-60579
04/27/2023, 12:00 AM