No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

You can call sts:get-caller-identity. via the AWS SDK.

You shouldn't need to do this if you're using Pulumi to manage the role, though. Are you using the SDK directly?

For convenience, there's a Pulumi wrapper for it: <https://www.pulumi.com/registry/packages/aws/api-docs/getcalleridentity/>

It's a system created role... I guess I should use pulumi to get it, now that I think about it?

90% of the time, this sort of thing can be provided as a global const or config value. Would it be best to pass it in from the Pulumi.stack.yaml file?

Code isn't always the best solution :slightly_smiling_face:

If the only thing you ever use is a constant string value (the ARN), then just set up a constant string value with the ARN in it...

Ah I haven't figured out when to use those extra files yet

Start off by defining it as `const systemCreatedRoleArn: string = "x:y:z...";`. When that's not good enough any more, improve it.

It's just obviously going to be the first thing that breaks when I try to run the same stack against a new account in prod :)

Unless you will never create a new account. In which case, don't optimize prematurely :slightly_smiling_face:

_looks at his dev account, which is separate from his prod account_…

Put the string in your stack yaml file, and get it using `new pulumi.Config().require(...)`

It’s not a string that’s decided by my configuration, though, it’s a string that’s decided by which account I’m logged in to.

if I do this: `export const accountId = current.then(current =&gt; current.accountId);` do I have to still use pulumi.interpolate? Or can I do a normal string ala `arn:aws:iam::${accountId}…`?

But stacks should be hard-mapped to accounts, right? You don't have two dev stacks, one for account A and one for account B...?

`export const accountId = current.then(current =&gt; current.accountId);` doesn't mean anything, it's the same as `export const accountId = current.accountId;`

Account A is the “developer” account, so it’s basically disposable, nothing goes into it that matters.  Production deployments will happen in account B, which… I dunno, may or may not have a variety of different deployment names.

So what I’m doing now is:
```  const current = aws.getCallerIdentity({});
  const accountId = current.then((current) =&gt; current.accountId);
  ...
    executionRoleArn: pulumi.interpolate`arn:aws:iam::${accountId}:role/ecsTaskExecutionRole`,
  ...```


I’m still a bit fuzzy on when interpolate is needed, or when the promise resolution satisfies it.

But the point is, the value that goes into Pulumi.A.yaml will be constant, and the value that goes into Pulumi.B.yml is constant (but different to the value in Pulumi.A.yml).

So don't bother with potentially-buggy code. Hard code the values into the config.