Support aws:assumeRole for pulumi env run and CLI/GitHub Actions contexts #593
Description
Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
Currently, the aws:assumeRole block defined in a Pulumi ESC environment only applies when a Pulumi AWS provider runs during pulumi preview or pulumi up. This means that when using pulumi env run in GitHub Actions or from the command line, the environment remains authenticated with the base OIDC role and does not assume the secondary role specified under aws:assumeRole.
This limits the ability to run AWS CLI commands or other automation workflows (e.g., GitHub Actions steps) within the a different target account context from the OIDC's account context. For example in the following ESC environment,
values:
aws:
login:
fn::open::aws-login:
oidc:
duration: 1h
roleArn: arn:aws:iam::<account-id-1>:role/role1
sessionName: pulumi-environments-session
subjectAttributes:
- currentEnvironment.name
- pulumi.user.login
environmentVariables:
AWS_ACCESS_KEY_ID: ${aws.login.accessKeyId}
AWS_SECRET_ACCESS_KEY: ${aws.login.secretAccessKey}
AWS_SESSION_TOKEN: ${aws.login.sessionToken}
pulumiConfig:
aws:region: us-east-1
aws:assumeRole:
roleArn: arn:aws:iam::<account-id-2>:role/role2
When used by Pulumi programs, resources are correctly created in the target account (account 2).
However, when running pulumi env run or inside GitHub Actions, the credentials reflect only the base OIDC role from the identity account (account 1), not the target account role (account 2).
Workaround
A workaround exists by explicitly exposing the target role ARN under values and using a bash script within pulumi env run to call aws sts assume-role manually. Example:
pulumi env run AWS-credentials-test/dev -- bash -euo pipefail -c '
CREDS=$(aws sts assume-role \
--role-arn "$TARGET_ROLE_ARN" \
--role-session-name esc-cli \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text)
read -r AK SK ST <<< "$CREDS"
export AWS_ACCESS_KEY_ID="$AK" AWS_SECRET_ACCESS_KEY="$SK" AWS_SESSION_TOKEN="$ST"
aws sts get-caller-identity
'
This works for both CLI and GitHub Actions, but it’s a manual and error-prone process that complicates automation workflows.
Feature Request
This feature request is for adding support for aws:assumeRole to automatically apply within pulumi env run contexts, so that:
- The assumed role credentials are automatically available in the shell environment, simplifying AWS multi-account setups.
- GitHub Actions and CLI commands executed via pulumi env run inherit the same credentials used by Pulumi programs.
- The need for custom scripting is eliminated, reducing configuration complexity and manual intervention.