https://pulumi.com logo
#aws
Title
# aws
p

polite-umbrella-11196

02/28/2023, 2:24 AM
How would I get the current aws account id, so that I can interpolate it into the middle of a role ARN?
l

little-cartoon-10569

02/28/2023, 2:36 AM
You can call sts:get-caller-identity. via the AWS SDK.
You shouldn't need to do this if you're using Pulumi to manage the role, though. Are you using the SDK directly?
For convenience, there's a Pulumi wrapper for it: https://www.pulumi.com/registry/packages/aws/api-docs/getcalleridentity/
p

polite-umbrella-11196

02/28/2023, 2:45 AM
It's a system created role... I guess I should use pulumi to get it, now that I think about it?
l

little-cartoon-10569

02/28/2023, 2:46 AM
90% of the time, this sort of thing can be provided as a global const or config value. Would it be best to pass it in from the Pulumi.stack.yaml file?
Code isn't always the best solution 🙂
If the only thing you ever use is a constant string value (the ARN), then just set up a constant string value with the ARN in it...
p

polite-umbrella-11196

02/28/2023, 2:48 AM
Ah I haven't figured out when to use those extra files yet
l

little-cartoon-10569

02/28/2023, 2:49 AM
Start off by defining it as
const systemCreatedRoleArn: string = "x:y:z...";
. When that's not good enough any more, improve it.
p

polite-umbrella-11196

02/28/2023, 3:06 AM
It's just obviously going to be the first thing that breaks when I try to run the same stack against a new account in prod :)
l

little-cartoon-10569

02/28/2023, 3:21 AM
Then put it in your stack file.
Unless you will never create a new account. In which case, don't optimize prematurely 🙂
p

polite-umbrella-11196

02/28/2023, 3:25 AM
_looks at his dev account, which is separate from his prod account_…
l

little-cartoon-10569

02/28/2023, 3:26 AM
Put the string in your stack yaml file, and get it using
new pulumi.Config().require(...)
p

polite-umbrella-11196

02/28/2023, 3:27 AM
It’s not a string that’s decided by my configuration, though, it’s a string that’s decided by which account I’m logged in to.
if I do this:
export const accountId = current.then(current => current.accountId);
do I have to still use pulumi.interpolate? Or can I do a normal string ala
arn:aws:iam::${accountId}…
?
l

little-cartoon-10569

02/28/2023, 3:35 AM
But stacks should be hard-mapped to accounts, right? You don't have two dev stacks, one for account A and one for account B...?
export const accountId = current.then(current => current.accountId);
doesn't mean anything, it's the same as
export const accountId = current.accountId;
p

polite-umbrella-11196

02/28/2023, 3:36 AM
Account A is the “developer” account, so it’s basically disposable, nothing goes into it that matters. Production deployments will happen in account B, which… I dunno, may or may not have a variety of different deployment names.
So what I’m doing now is:
Copy code
const current = aws.getCallerIdentity({});
  const accountId = current.then((current) => current.accountId);
  ...
    executionRoleArn: pulumi.interpolate`arn:aws:iam::${accountId}:role/ecsTaskExecutionRole`,
  ...
I’m still a bit fuzzy on when interpolate is needed, or when the promise resolution satisfies it.
l

little-cartoon-10569

02/28/2023, 3:39 AM
But the point is, the value that goes into Pulumi.A.yaml will be constant, and the value that goes into Pulumi.B.yml is constant (but different to the value in Pulumi.A.yml).
So don't bother with potentially-buggy code. Hard code the values into the config.
p

polite-umbrella-11196

02/28/2023, 3:40 AM
heh, I understand.
Thanks for the guidance!
5 Views