search

pulumi / esc

Pulumi ESC (Environments, Secrets, and Configuration) for cloud applications and infrastructure.
https://www.pulumi.com/product/esc/
Apache License 2.0
216 stars 7 forks source link

ESC AWS OIDC provider does not support Gov Cloud #256

Open MitchellGerdisch opened 7 months ago

MitchellGerdisch commented 7 months ago

What happened?

Trying to use the AWS login provider to create OIDC temporary creds for AWS gov cloud. But get an error when doing an "open":

values.aws.login:
                                Error: WebIdentityErr: failed to retrieve credentials
caused by: InvalidIdentityToken: No OpenIDConnect provider found in your account for https://api.pulumi.com/oidc
                status code: 400, request id: xxxxxxxx

Also tested running on command line with export AWS_ENDPOINT_URL_STS=sts.us-gov-west-1.amazonaws.com and then esc open to see if ESC would consume the gov cloud endpoint. But it didn't.

Example

values:
  aws:
    region: us-gov-west-1
    creds:
      fn::open::aws-login:
        oidc:
          duration: 1h
          roleArn: arn:aws:iam::xxxxxxxxxx:role/yyyyyyyyyyy
          sessionName: zzzzzzzzzz
  environmentVariables:
    AWS_ACCESS_KEY_ID: ${aws.creds.accessKeyId}
    AWS_SECRET_ACCESS_KEY: ${aws.creds.secretAccessKey}
    AWS_SESSION_TOKEN: ${aws.creds.sessionToken}
  pulumiConfig:
    aws:region: ${aws.region}

Output of pulumi about

Happens in Pulumi Cloud UI as well as on command line with esc version 0.8.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

dougireton commented 3 months ago

I'm trying to use the Pulumi OIDC provider in our AWS GovCloud account to support Pulumi Deployments.

I have successfully created the api.pulumi.com/oidc provider and IAM Role per the Pulumi OIDC AWS Provider doc I have Enabled the AWS Integration in Pulumi Deployments settings and put in the IAM Role ARN and Session Name.

When I manually trigger a Preview Deployment, it fails consistently with this error:

Fetch provider credentials via OIDC
 $ /pulumi-deploy-executor oidc --workDir="/deployment" 

 Error: fetching AWS credentials: WebIdentityErr: failed to retrieve credentials
 caused by: InvalidIdentityToken: No OpenIDConnect provider found in your account for https://api.pulumi.com/oidc 
    status code: 400, request id: 47841196-a280-4c19-a9c4-0938618aba7d

Separately, I have successfully set up a similar OIDC provider for GitHub Actions which we use for ECS Deployments. This works. The Pulumi OIDC provider does not.