Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi IDP Pulumi Cloud Packages Tutorials
  1. Docs
  2. Pulumi Cloud
  3. Deployments
  4. OIDC Setup
  5. AWS

Configuring OpenID Connect for AWS with Pulumi Deployments

    Pulumi ESC provides a more portable and easier-to-set-up alternative to the Deployments OIDC integration described here. For most use cases, we recommend using Pulumi ESC for AWS OIDC configuration.

    This document outlines the steps required to configure Pulumi Deployments to use OpenID Connect to authenticate with AWS. OIDC in AWS uses a web identity provider to assume an IAM role. Access to the IAM role is authorized using a trust policy that validates the contents of the OIDC token issued by Pulumi Cloud.

    Create the identity provider

    1. In the navigation pane of the IAM console, choose Identity providers, and then choose Add provider.
    2. In the Provider type section, click the radio button next to OpenID Connect.
    3. For the Provider URL, provide the following URL: https://api.pulumi.com/oidc
    4. For the Audience field, enter the name of your Pulumi organization. Then click Add provider.

    Configure the IAM role and trust policy

    Once you have created the identity provider, you will see a notification at the top of your screen prompting you to assign an IAM role.

    1. Click the Assign role button.
    2. Select the Create a new role option, then click Next.
    3. On the IAM Create role page, ensure the Web identity radio button is selected.
    4. In the Web identity section:
      • Select api.pulumi.com/oidc under Identity provider.
      • Select the name of your Pulumi organization under Audience. Then click Next.
    5. On the Add permissions page, select the permissions that you want to grant to your Pulumi deployments. AdministratorAccess will be required most of the time as most AWS workloads require creating IAM resources, which in turn require full admin access. Then click Next.
    6. Provide a name and optional description for the IAM role. Then click Create role.

    Make a note of the IAM role’s ARN; it will be necessary to enable OIDC for your deployment.

    For more granular access control, edit the trust policy of your IAM role with Token claims. The sub claim can be customized as shown below.

    In the following example, the role may only be assumed by stacks within the Core project of the contoso organization:

    "Condition": {
  "StringEquals": {
    "api.pulumi.com/oidc:aud": "contoso"
  },
  "StringLike": {
    "api.pulumi.com/oidc:sub": "pulumi:deploy:org:contoso:project:Core:*"
  }
}

    Configure OIDC via the Pulumi console

    In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the pulumiservice.DeploymentSettings resource or via the REST API.
    1. Navigate to your stack in the Pulumi Console.
    2. Open the stack’s “Settings” tab.
    3. Choose the “Deploy” panel.
    4. Under the “OpenID Connect” header, toggle “Enable AWS Integration”.
    5. Enter the ARN of the IAM role created above in the “Role ARN” field.
    6. Enter a name for the assumed role session in the “Session Name” field.
    7. If you would like to use additional policies to further constrain the session’s capabilities, enter the policies’ ARNs separated by commas in the “Policy ARNs” field.
    8. If you would like to constrain the duration of the assumed role session, enter a duration in the form “XhYmZs” in the “Session Duration” field.
    9. Click the “Save deployment configuration” button.

    With this configuration, each deployment of this stack will attempt to exchange the deployment’s OIDC token for AWS credentials using the specified IAM role prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables. The raw OIDC token is also available for advanced scenarios in the PULUMI_OIDC_TOKEN environment variable and the /mnt/pulumi/pulumi.oidc file.

      OSZAR »