1. Packages
  2. AWS
  3. How-to Guides
  4. Provisioning an OIDC Provider in AWS for Pulumi Cloud
AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi

Provisioning an OIDC Provider in AWS for Pulumi Cloud

aws logo
AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi

    View Code Deploy this example with Pulumi

    This example will create OIDC configuration between Pulumi Cloud and AWS, specifically demonstrating connectivity with Pulumi ESC. The program automates the process detailed in the AWS documentation for the following activities:

    Prerequisites

    Make sure to deploy this example in an AWS account that does not already have a provider configured for Pulumi, otherwise the deployment will fail with the following error:

    creating IAM OIDC Provider: EntityAlreadyExists: Provider with url https://api.pulumi.com/oidc already exists.

    Running the Example

    Clone the examples repo and navigate to the folder for this example.

    git clone https://github.com/pulumi/examples.git
    cd examples/aws-py-oidc-provider-pulumi-cloud
    

    Next, to deploy the application and its infrastructure, follow these steps:

    1. Create a new stack, which is an isolated deployment target for this example:

      $ pulumi stack init dev
      
    2. Set your desired AWS region:

      pulumi config set aws:region us-east-1 # any valid AWS region will work
      
    3. Install requirements.

      python3 -m venv venv
      venv/bin/pip install -r requirements.txt
      
    4. Run pulumi up -y. Once the program completes, it will output a YAML template for you to use in the next step.

    Validating the OIDC Configuration

    This next section will walk you through validating your OIDC configuration using Pulumi ESC.

    Start by creating a new Pulumi ESC environment. Then, copy the template definition from the output in the CLI and paste it into your environment. Save your environment file and run the pulumi env open <your-pulumi-org>/<your-environment> command in the CLI. You should see output similar to the following:

    $ pulumi env open myOrg/myEnvironment
    {
      "aws": {
        "login": {
          "accessKeyId": "ASIA....",
          "secretAccessKey": "rtBS....",
          "sessionToken": "Fwo...."
        }
      },
      "environmentVariables": {
        "AWS_ACCESS_KEY_ID": "ASIA....",
        "AWS_SECRET_ACCESS_KEY": "rtBS....",
        "AWS_SESSION_TOKEN": "Fwo...."
      }
    }
    

    You can configure more granular access control by adding the sub claim to the Provider role’s trust policy conditions with the appropriate pattern. In the following example, the role may only be assumed by the specific Pulumi ESC environment that you designate.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Federated": "arn:aws:iam::616138583583:oidc-provider/api.pulumi.com/oidc"
                },
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                    "StringEquals": {
                        "api.pulumi.com/oidc:aud": "<your-pulumi-org>",
                        "api.pulumi.com/oidc:sub": "pulumi:environments:org:<your-pulumi-org>:env:<your-environment-name>"
                    }
                }
            }
        ]
    }
    

    Once you are done, you can destroy all of the resources as well as the stack:

    $ pulumi destroy
    $ pulumi stack rm
    
    aws logo
    AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi