https://pulumi.com logo
Join Slack
Powered by
I’m trying to follow the instructions here (<https...
# getting-started
d
I’m trying to follow the instructions here (https://www.pulumi.com/docs/guides/oidc/aws/) to set up OIDC such that Pulumi Deployments can run… but I’m getting: 
Error: fetching AWS credentials: WebIdentityErr: failed to retrieve credentials, caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity, status code: 403
Any ideas? I’m using Pulumi to create the OIDC configuration and AWS roles:
Copy code
import pulumi_aws as aws
import json

# Create OIDC provider for Pulumi Deployments
oidc_provider = aws.iam.OpenIdConnectProvider(
    "Pulumi OIDC Provider",
    client_id_lists=["MYORG"],
    # <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html>
    thumbprint_lists=["9E99A48A9960B14926BB7F3B02E22DA2B0AB7280"],
    url="<https://api.pulumi.com/oidc>",
)

oidc_provider_role = aws.iam.Role(
    "Pulumi OIDC Provider Role",
    name="PulumiOIDC",
    assume_role_policy=oidc_provider.arn.apply(
        lambda arn: json.dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Federated": arn,
                        },
                        "Action": "sts:AssumeRoleWithWebIdentity",
                        "Condition": {
                            "StringEquals": {
                                "<http://api.pulumi.com/oidc:aud|api.pulumi.com/oidc:aud>": "MYORG",
                                "<http://api.pulumi.com/oidc:sub|api.pulumi.com/oidc:sub>": "pulumi:deploy:org:MYORG:project:*:*",
                            }
                        },
                    }
                ],
            }
        )
    ),
)
d
I just created a video on this. I'll share the link when it is out.
So the role you created is it attached to an Identity Provider and if so, is the Audience set correctly and matches your organization name?
If those two are all done correctly, did you select the right policy or permissions set for the type of resources you are trying to manage?
d
So I haven’t attached any permissions yet… I was just hoping to see whether OIDC itself is set up correctly such that Pulumi can assume the role
I though the error message would look more like “role doesn’t have the permissions to access X resource” if it were a case of the role not having sufficient permissions
but this seems to indicate the process is not even able to assume the role
d
can you just through in the AdministratorAccess permissions to see if it works?
d
so give it a 
managed_policy_arns
?
d
this one
d
Copy code
["arn:aws:iam::aws:policy/AdministratorAccess"]
d
i got the same error, i am trying to retrace where I got that error out of the many errors i got along the way
yeah try that and tell me if it works
d
ok running it now
btw, the thumbprint thing is a bit obscure… hard to understand what to do for that from the docs
d
which thing?
d
https://www.pulumi.com/docs/guides/oidc/aws/ => doesn’t make any mention of it
ok same error, even though I added the permission:
For the Trusted entities in the role I have:
Copy code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<ACCOUNT-ID>:oidc-provider/api.pulumi.com/oidc"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "<http://api.pulumi.com/oidc:aud|api.pulumi.com/oidc:aud>": "<PULUMI-ORG>",
          "<http://api.pulumi.com/oidc:sub|api.pulumi.com/oidc:sub>": "pulumi:deploy:org:<PULUMI-ORG>:project:*:*"
        }
      }
    }
  ]
}
d
did you replace <PULUMI-ORG> with the name of your org?
d
yeah (I don’t know why I always worry about copy/pasta with identifying values)
And I have this for the id provider:
d
if you want to jump on
d
(thanks again!)
2 Views
Open in Slack
PreviousNext
Powered by