Skip to content

Create resources with pulumi automation api assuming role from AWS using OIDC

Notifications You must be signed in to change notification settings

sibiraj-s/pulumi-oidc-example

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Pulumi OIDC Example

This is an example of how to use OIDC with Pulumi automation api to assume a role in AWS and create resources.

Prerequisites

  • Go (check the go version in the go.mod file)

Create resources

Export ROLE_ARN and OIDC_TOKEN as environment variables and run the program.

Note

In real world, the token would be fetched from the OIDC provider dynamically. For testing, we are just using a static token.

export ROLE_ARN="arn:aws:iam::123456789012:role/TestRole"
export OIDC_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...."
go run .

This will create an S3 bucket in the AWS account by assuming the role using the provided OIDC token.

Also, the Pulumi home directory and the project backend is configured to the current working directory to enable faster debugging during development.

We use WebIdentityTokenFile and also set it in environment variables instead of setting the values in config, since the config values are cached in the state file and while refresh the newly set values are not picked up. This is a known issue with Pulumi. See the following issues for more details:

Destroy resources

To destroy the resources, run the program with the destroy flag.

go run . destroy

This will destroy the resources created by the program and remove the stack.

About

Create resources with pulumi automation api assuming role from AWS using OIDC

Topics

Resources

Stars

Watchers

Forks

Sponsor this project

 

Languages