How would I get the current aws account id, so tha...
# awsp
polite-umbrella-11196
02/28/2023, 2:24 AMHow would I get the current aws account id, so that I can interpolate it into the middle of a role ARN?
l
little-cartoon-10569
02/28/2023, 2:36 AMYou can call sts:get-caller-identity. via the AWS SDK.
little-cartoon-10569
02/28/2023, 2:36 AMYou shouldn't need to do this if you're using Pulumi to manage the role, though. Are you using the SDK directly?
little-cartoon-10569
02/28/2023, 2:43 AMFor convenience, there's a Pulumi wrapper for it: https://www.pulumi.com/registry/packages/aws/api-docs/getcalleridentity/
p
polite-umbrella-11196
02/28/2023, 2:45 AMIt's a system created role... I guess I should use pulumi to get it, now that I think about it?
l
little-cartoon-10569
02/28/2023, 2:46 AM90% of the time, this sort of thing can be provided as a global const or config value. Would it be best to pass it in from the Pulumi.stack.yaml file?
little-cartoon-10569
02/28/2023, 2:47 AMCode isn't always the best solution 🙂
little-cartoon-10569
02/28/2023, 2:48 AMIf the only thing you ever use is a constant string value (the ARN), then just set up a constant string value with the ARN in it...
p
polite-umbrella-11196
02/28/2023, 2:48 AMAh I haven't figured out when to use those extra files yet
l
little-cartoon-10569
02/28/2023, 2:49 AMStart off by defining it as
const systemCreatedRoleArn: string = "x:y:z...";p
polite-umbrella-11196
02/28/2023, 3:06 AMIt's just obviously going to be the first thing that breaks when I try to run the same stack against a new account in prod :)
l
little-cartoon-10569
02/28/2023, 3:21 AMThen put it in your stack file.
little-cartoon-10569
02/28/2023, 3:22 AMUnless you will never create a new account. In which case, don't optimize prematurely 🙂
p
polite-umbrella-11196
02/28/2023, 3:25 AM_looks at his dev account, which is separate from his prod account_…
l
little-cartoon-10569
02/28/2023, 3:26 AMPut the string in your stack yaml file, and get it using
new pulumi.Config().require(...)p
polite-umbrella-11196
02/28/2023, 3:27 AMIt’s not a string that’s decided by my configuration, though, it’s a string that’s decided by which account I’m logged in to.
polite-umbrella-11196
02/28/2023, 3:28 AMif I do this:
export const accountId = current.then(current => current.accountId);arn:aws:iam::${accountId}…l
little-cartoon-10569
02/28/2023, 3:35 AMBut stacks should be hard-mapped to accounts, right? You don't have two dev stacks, one for account A and one for account B...?
little-cartoon-10569
02/28/2023, 3:36 AMexport const accountId = current.then(current => current.accountId);export const accountId = current.accountId;p
polite-umbrella-11196
02/28/2023, 3:36 AMAccount A is the “developer” account, so it’s basically disposable, nothing goes into it that matters. Production deployments will happen in account B, which… I dunno, may or may not have a variety of different deployment names.
polite-umbrella-11196
02/28/2023, 3:37 AMSo what I’m doing now is:
Copy code
const current = aws.getCallerIdentity({});
const accountId = current.then((current) => current.accountId);
...
executionRoleArn: pulumi.interpolate`arn:aws:iam::${accountId}:role/ecsTaskExecutionRole`,
...polite-umbrella-11196
02/28/2023, 3:37 AMI’m still a bit fuzzy on when interpolate is needed, or when the promise resolution satisfies it.
l
little-cartoon-10569
02/28/2023, 3:39 AMBut the point is, the value that goes into Pulumi.A.yaml will be constant, and the value that goes into Pulumi.B.yml is constant (but different to the value in Pulumi.A.yml).
little-cartoon-10569
02/28/2023, 3:39 AMSo don't bother with potentially-buggy code. Hard code the values into the config.
p
polite-umbrella-11196
02/28/2023, 3:40 AMheh, I understand.
polite-umbrella-11196
02/28/2023, 3:40 AMThanks for the guidance!
6 Views