https://pulumi.com logo
Title
d

dry-journalist-60579

03/08/2023, 10:49 PM
I’m trying to follow the instructions here (https://www.pulumi.com/docs/guides/oidc/aws/) to set up OIDC such that Pulumi Deployments can run… but I’m getting:
Error: fetching AWS credentials: WebIdentityErr: failed to retrieve credentials, caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity, status code: 403
Any ideas? I’m using Pulumi to create the OIDC configuration and AWS roles:
import pulumi_aws as aws
import json

# Create OIDC provider for Pulumi Deployments
oidc_provider = aws.iam.OpenIdConnectProvider(
    "Pulumi OIDC Provider",
    client_id_lists=["MYORG"],
    # <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html>
    thumbprint_lists=["9E99A48A9960B14926BB7F3B02E22DA2B0AB7280"],
    url="<https://api.pulumi.com/oidc>",
)

oidc_provider_role = aws.iam.Role(
    "Pulumi OIDC Provider Role",
    name="PulumiOIDC",
    assume_role_policy=oidc_provider.arn.apply(
        lambda arn: json.dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Federated": arn,
                        },
                        "Action": "sts:AssumeRoleWithWebIdentity",
                        "Condition": {
                            "StringEquals": {
                                "<http://api.pulumi.com/oidc:aud|api.pulumi.com/oidc:aud>": "MYORG",
                                "<http://api.pulumi.com/oidc:sub|api.pulumi.com/oidc:sub>": "pulumi:deploy:org:MYORG:project:*:*",
                            }
                        },
                    }
                ],
            }
        )
    ),
)
d

delightful-salesclerk-16161

03/08/2023, 10:50 PM
I just created a video on this. I'll share the link when it is out.
So the role you created is it attached to an Identity Provider and if so, is the Audience set correctly and matches your organization name?
If those two are all done correctly, did you select the right policy or permissions set for the type of resources you are trying to manage?
d

dry-journalist-60579

03/08/2023, 10:54 PM
So I haven’t attached any permissions yet… I was just hoping to see whether OIDC itself is set up correctly such that Pulumi can assume the role
I though the error message would look more like “role doesn’t have the permissions to access X resource” if it were a case of the role not having sufficient permissions
but this seems to indicate the process is not even able to assume the role
d

delightful-salesclerk-16161

03/08/2023, 10:55 PM
can you just through in the AdministratorAccess permissions to see if it works?
d

dry-journalist-60579

03/08/2023, 10:56 PM
so give it a
managed_policy_arns
?
d

delightful-salesclerk-16161

03/08/2023, 10:57 PM
this one
d

dry-journalist-60579

03/08/2023, 10:57 PM
["arn:aws:iam::aws:policy/AdministratorAccess"]
d

delightful-salesclerk-16161

03/08/2023, 10:57 PM
i got the same error, i am trying to retrace where I got that error out of the many errors i got along the way
yeah try that and tell me if it works
d

dry-journalist-60579

03/08/2023, 11:05 PM
ok running it now
btw, the thumbprint thing is a bit obscure… hard to understand what to do for that from the docs
d

delightful-salesclerk-16161

03/08/2023, 11:06 PM
which thing?
https://www.pulumi.com/docs/guides/oidc/aws/ => doesn’t make any mention of it
ok same error, even though I added the permission:
For the Trusted entities in the role I have:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<ACCOUNT-ID>:oidc-provider/api.pulumi.com/oidc"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "<http://api.pulumi.com/oidc:aud|api.pulumi.com/oidc:aud>": "<PULUMI-ORG>",
          "<http://api.pulumi.com/oidc:sub|api.pulumi.com/oidc:sub>": "pulumi:deploy:org:<PULUMI-ORG>:project:*:*"
        }
      }
    }
  ]
}
d

delightful-salesclerk-16161

03/08/2023, 11:10 PM
did you replace <PULUMI-ORG> with the name of your org?
d

dry-journalist-60579

03/08/2023, 11:11 PM
yeah (I don’t know why I always worry about copy/pasta with identifying values)
And I have this for the id provider:
if you want to jump on
d

dry-journalist-60579

03/08/2023, 11:50 PM
(thanks again!)