What AWS role and policies are needed to assume a role with pulumi?

[capaj]

I am trying to introduce a pulumi on a project where they currently deploy everything on heroku. I've used pulumi in the past with no issues.
Our admin on this current project is very strict and does not want to give devops users AdministratorAccess policy.
They want to create a new role which would have limited access to what is necessary.
Problem is whenever I run pulumi up on this basic code:

import * as awsx from '@pulumi/awsx'
import * as aws from '@pulumi/aws'
const roleToAssumeARN = 'arn:aws:iam::XXXXXXXXXXXXX:user/pulumi'
const provider = new aws.Provider('privileged', {
    assumeRole: {
    roleArn: roleToAssumeARN,
    sessionName: 'PulumiSession',
    externalId: 'PulumiApplication'
  },
region: aws.config.requireRegion()
})
const cluster = new awsx.classic.ecs.Cluster('cluster', undefined, { provider })
// rest of my code

I get this error:

  Previewing update (dev)
  View in Browser (Ctrl+O): 
  Type                     Name                      Plan     Info
  pulumi:pulumi:Stack      tf-pulumi-comparison-dev
  └─ pulumi:providers:aws  privileged                         1 error
  Diagnostics:
  pulumi:providers:aws (privileged):
  error: pulumi:providers:aws resource 'privileged' has a problem: unable to validate AWS credentials.
  Details: Cannot assume IAM Role. IAM Role (arn:aws:iam::XXXXXXXXXX:user/pulumi) cannot be assumed.
  There are a number of possible causes of this - the most common are:
  * The credentials used in order to assume the role are invalid
  * The credentials do not have appropriate permission to assume the role
  * The role ARN is not valid
  Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 9dfaa25d-a847-4d6d-b04b-ca3d63a7e2c6, api error AccessDenied: User: arn:aws:iam::XXXXXXXXX:user/capaj is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXX:user/pulumihttps://app.pulumi.com/capaj/tf-pulumi-comparison/dev/previews/e566e71b-a7c6-477e-8634-ec049e5a4c01

Keep in mind the pulumi up works perfectly fine on my other AWS account where I have AdministratorAccess

The admin added this policy for my user-that had no effect and I still get 403:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::XXXXXXXXX:role/pulumi"
        }
    ]
}

I also posted this on reddit here: https://www.reddit.com/r/pulumi/comments/1fv3jcf/what_aws_role_an_policies_are_needed_to_assume/

[smithrobs]

Two thoughts:

• In your code roleToAssumeARN is specifying a user. I assume you're already logged in as user/pulumi; did you mean this to be the role your admin provided?

• You mention your admin added policy for user/pulumi - did they also add policy to the role you want to assume?

arn:aws:iam::XXXXXXXXX:user/pulumi:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermissionToAssumeAlice",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::XXXXXXXXX:role/pulumi" // role you want to assume
    }
  ]
}

arn:aws:iam::XXXXXXXXX:role/pulumi

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXXXX:user/pulumi" // user assuming role
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

(src: https://repost.aws/knowledge-center/iam-assume-role-error)

[capaj]

did you mean this to be the role your admin provided?

yes this was the problem:
when I use the ARN of the role rather than the user it works!

Thank you so much!