This message was deleted.
# getting-starteds
sparse-intern-71089
03/08/2023, 10:49 PMThis message was deleted.
d
delightful-salesclerk-16161
03/08/2023, 10:50 PM
I just created a video on this. I'll share the link when it is out.
❤️ 1
delightful-salesclerk-16161
03/08/2023, 10:51 PM
So the role you created is it attached to an Identity Provider and if so, is the Audience set correctly and matches your organization name?
delightful-salesclerk-16161
03/08/2023, 10:53 PM
If those two are all done correctly, did you select the right policy or permissions set for the type of resources you are trying to manage?
d
dry-journalist-60579
03/08/2023, 10:54 PMSo I haven’t attached any permissions yet… I was just hoping to see whether OIDC itself is set up correctly such that Pulumi can assume the role
dry-journalist-60579
03/08/2023, 10:55 PMI though the error message would look more like “role doesn’t have the permissions to access X resource” if it were a case of the role not having sufficient permissions
dry-journalist-60579
03/08/2023, 10:55 PMbut this seems to indicate the process is not even able to assume the role
d
delightful-salesclerk-16161
03/08/2023, 10:55 PM
can you just through in the AdministratorAccess permissions to see if it works?
d
dry-journalist-60579
03/08/2023, 10:56 PMso give it a
managed_policy_arnsd
delightful-salesclerk-16161
03/08/2023, 10:57 PM
this one
d
dry-journalist-60579
03/08/2023, 10:57 PM Copy code
["arn:aws:iam::aws:policy/AdministratorAccess"]👍 1
d
delightful-salesclerk-16161
03/08/2023, 10:57 PM
i got the same error, i am trying to retrace where I got that error out of the many errors i got along the way
delightful-salesclerk-16161
03/08/2023, 10:58 PM
yeah try that and tell me if it works
d
dry-journalist-60579
03/08/2023, 11:05 PMok running it now
dry-journalist-60579
03/08/2023, 11:06 PMbtw, the thumbprint thing is a bit obscure… hard to understand what to do for that from the docs
d
delightful-salesclerk-16161
03/08/2023, 11:06 PM
which thing?
d
dry-journalist-60579
03/08/2023, 11:06 PMdry-journalist-60579
03/08/2023, 11:07 PMhttps://www.pulumi.com/docs/guides/oidc/aws/ => doesn’t make any mention of it
dry-journalist-60579
03/08/2023, 11:08 PMok same error, even though I added the permission:
dry-journalist-60579
03/08/2023, 11:10 PMFor the Trusted entities in the role I have:
Copy code
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<ACCOUNT-ID>:oidc-provider/api.pulumi.com/oidc"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<http://api.pulumi.com/oidc:aud|api.pulumi.com/oidc:aud>": "<PULUMI-ORG>",
"<http://api.pulumi.com/oidc:sub|api.pulumi.com/oidc:sub>": "pulumi:deploy:org:<PULUMI-ORG>:project:*:*"
}
}
}
]
}d
delightful-salesclerk-16161
03/08/2023, 11:10 PM
did you replace <PULUMI-ORG> with the name of your org?
d
dry-journalist-60579
03/08/2023, 11:11 PMyeah (I don’t know why I always worry about copy/pasta with identifying values)
dry-journalist-60579
03/08/2023, 11:12 PMAnd I have this for the id provider:
d
delightful-salesclerk-16161
03/08/2023, 11:14 PM
delightful-salesclerk-16161
03/08/2023, 11:14 PM
if you want to jump on
d
dry-journalist-60579
03/08/2023, 11:50 PM(thanks again!)
4 Views