diff --git a/themes/default/content/docs/pulumi-cloud/deployments/oidc/aws.md b/themes/default/content/docs/pulumi-cloud/deployments/oidc/aws.md index 08e86e8833a..1bda4b065ff 100644 --- a/themes/default/content/docs/pulumi-cloud/deployments/oidc/aws.md +++ b/themes/default/content/docs/pulumi-cloud/deployments/oidc/aws.md @@ -19,31 +19,86 @@ This document outlines the steps required to configure Pulumi Deployments to use * You must be an admin of your Pulumi organization. -## Adding the identity provider to AWS +## How to set up by manual + +Create OIDC provider and IAM role from AWS Management Console. + +### Adding the identity provider to AWS To add the Pulumi Cloud as an OIDC provider for IAM, see the [relevant AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html). * For the provider URL, use `https://api.pulumi.com/oidc` * For the audience, use the name of your organization -## Configuring the IAM Role and Trust Policy +### Configuring the IAM Role and Trust Policy To configure the role and trust in IAM, see the AWS documentation for [creating a role for web identity or OpenID connect federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create). * For the identity provider, choose the provider you created above * For the audience, choose the name of your organization -For more granular access control, edit the trust policy to add the `sub` claim to the policy's conditions with an appropriate patter. In the following example, the role may only be assigned by stacks within the "Core" project: +For more granular access control, edit the trust policy to add the `sub` claim to the policy's conditions with an appropriate patter. In the following example, the role may only be assigned by stacks: ```json "Condition": { "StringLike": { "api.pulumi.com/oidc:aud": "", - "api.pulumi.com/oidc:sub": "pulumi:deploy:org::project:Core:*" + "api.pulumi.com/oidc:sub": "pulumi:deploy:org::project::*" } } ``` +## How to set up by CloudFormation +It is possible to create OIDC provider and IAM role to deploy the below CloudFormation Stack. + +```yaml +AWSTemplateFormatVersion: '2010-09-09' +Description: "OIDC for Pulumi" + +Parameters: + OrgName: + Type: String + Description: the name of your Pulumi Organization + ProjectName: + Type: String + Description: If you want to allow all projects, etner *. + +Resources: + IAMOIDCProvider: + Type: AWS::IAM::OIDCProvider + Properties: + Url: https://api.pulumi.com/oidc + ClientIdList: + - !Ref OrgName + ThumbprintList: + - 9e99a48a9960b14926bb7f3b02e22da2b0ab7280 + IAMRole: + Type: AWS::IAM::Role + Properties: + Path: / + RoleName: OpenID-PulumiCloud + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Federated: !Ref IAMOIDCProvider + Action: sts:AssumeRoleWithWebIdentity + Condition: + StringLike: + api.pulumi.com/oidc:sub: !Sub pulumi:deploy:org:${OrgName}:project:${ProjectName}:* + api.pulumi.com/oidc:aud: !Ref OrgName + MaxSessionDuration: 3600 + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AdministratorAccess +``` + +### Parameters +* OrgName: Enter the name of your organization. +* ProjectName: Enter the name of your project. If you want to allow all projects, etner `*`. + +![cloudformation-stack-deploy](/images/docs/reference/console/cloudformation-stack-deploy.png) + Make a note of the IAM role's ARN; it will be necessary to enable OIDC for your stack. ## Enabling OIDC for your Stack diff --git a/themes/default/static/images/docs/reference/console/cloudformation-stack-deploy.png b/themes/default/static/images/docs/reference/console/cloudformation-stack-deploy.png new file mode 100644 index 00000000000..d0d4cf268fc Binary files /dev/null and b/themes/default/static/images/docs/reference/console/cloudformation-stack-deploy.png differ