Skip to content

Instantly share code, notes, and snippets.

@wvanderdeijl
Last active February 9, 2024 13:42
Show Gist options
  • Save wvanderdeijl/bdae8138c806fb4cface213ba9cd205f to your computer and use it in GitHub Desktop.
Save wvanderdeijl/bdae8138c806fb4cface213ba9cd205f to your computer and use it in GitHub Desktop.
@pulumi/aws with assumeRoleWithWebIdentity using a google service account
import * as aws from '@pulumi/aws';
import { all, output, secret } from '@pulumi/pulumi';
const serviceAccount = output('my-service-account@my-project.iam.gserviceaccount.com');
const audience = output('*****');
const awsRoleArn = output('arn:aws:iam::999999999999:role/pulumi-aws-federation');
const token = secret(
all([serviceAccount, audience]).apply(async ([serviceAccount, audience]) => {
const client = await auth.getClient();
const response = await client.request<{ token: string }>({
method: 'POST',
url: `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${encodeURIComponent(
serviceAccount,
)}:generateIdToken`,
data: {
audience,
includeEmail: true,
},
});
return response.data.token;
}),
);
const provider = new aws.Provider('aws', {
region: 'eu-west-1',
assumeRoleWithWebIdentity: {
roleArn: awsRoleArn,
webIdentityToken: token,
},
});
new aws.s3.Bucket('my-bucket-53efcbd4499a768d', { tags: { foo: 'bar' } }, { provider });
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment