ok… here’s another one. I have the following role assuming pattern locally (for… reasons):

role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_xxxxxxxxx (the role I am logged into via the CLI)

=> assumes

role/service-role/AWSControlTowerAdmin (via Pulumi.<stack>.yaml config var aws:assumeRole.roleArn)

=> assumes

role/AWSControlTowerExecution (via `aws.Provider` in the Pulumi code)

locally this works. When running via Pulumi Deployments it doesn’t seem to. The Deployment “configuration” seems to show the correct

aws:assumeRole

value but it doesn’t get assumed. It basically skips the middle assumption and uses the Deployment role to try to directly assume the 3rd role, AWSControlTowerExecution and it fails. If anything I’d expect to see that

assumed-role/PulumiOIDC/pulumi

cannot assume

role/service-role/AWSControlTowerAdmin

or that

role/service-role/AWSControlTowerAdmin

cannot assume

role/AWSControlTowerExecution

, but I’m getting

assumed-role/PulumiOIDC/pulumi

cannot assume

role/AWSControlTowerExecution

. This makes me think that the deploy executor is not respecting the

Pulumi.<stack>.yaml

configuration…

Does anyone have recommendations on how to think about the boundaries between Pulumi Deployments (enabled via UI + GitHub integration) and general Pulumi CI/CD? It seems like deployments enables running

pulumi up

on every commit that happens on a branch, say, the

main

branch. This would mean that only after you merge a PR does

pulumi

run. What do people do to preview changes during the branch development?

If any of ya'll think that Pulumi is the future of infrastructure, we'd appreciate a vote on this poll! https://pulumi-community.slack.com/archives/C84L4E3N1/p1679677366935849

Major Pulumi Deployments update shipped today, complete with overhauled documentation. Happy to answer any questions ya'll may have! https://pulumi-community.slack.com/archives/CB36DSVSA/p1680103635675449

Just making sure I have it, is Pulumi Deployments a drop-in replacement for something like Github Actions?

After reading this. I think this is doc on how deployment can happen in Pulumi. I dont think my question is answer from the doc. If I want to do git push deploy. Is that means every single stack in each project needs to be deploy separately? means I need to setup something for each of them? From a thread in #getting-started

Want to try out pulumi deployments but the settings ui isn’t letting me

Thanks @hallowed-photographer-31251 for fixing my github app config. Now that I’m trying to run a preview, the current problem is that I have an environment variable that I need to set programmatically. In github actions I do that by running a command and storing the result to $GITHUB_ENV. Is there an equivalent mechanism in pulumi deployments?

I’m going to share a bug that won’t be reproducible 😢 but just in case anyone else runs across it …

Thanks @dry-journalist-60579 for sharing an oidc role setup that works. • pulumi deployments assumes the role

arn:aws:sts::MGT_ACCT_ID:assumed-role/PulumiOIDC/pulumi

in my control tower management account • in

Pulumi.dev.yaml

I have

aws:assumeRole

set to

arn:aws:iam::APP_ACCT_ID:role/AWSControlTowerExecution

• when I log the result of

aws.getCallerIdentity

I get

arn:aws:sts::APP_ACCT_ID:assumed-role/AWSControlTowerExecution/aws-go-sdk-1683049420464527015

, which shows me that `aws:assumeRole`is working • … but I’m no longer able to push a docker image to ecr. It seems the code invoked by

docker.Image

doesn’t use the role given by `aws:assumeRole`:

docker:index:Image APP_IMAGE updating (1s) [diff: ~build];
warning: Failed to pull cached image <http://APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO:latest|APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO:latest>:
Error pulling cached image <http://APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO:latest|APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO:latest>:
Error response from daemon: pull access denied for <http://APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO|APP_ACCT_ID.dkr.ecr.us-east-2.amazonaws.com/APP_REPO>,
repository does not exist or may require 'docker login': denied:
User: arn:aws:sts::MGT_ACCT_ID:assumed-role/PulumiOIDC/pulumi is not authorized
to perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-east-2:APP_ACCT_ID:repository/APP_REPO
because no resource-based policy allows the ecr:BatchGetImage action

I am getting access denied error when trying to create public web hosting S3 by fellow this example: https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucketaclv2/#with-public-read-acl

* error creating S3 bucket ACL for <bucket name>: AccessDenied: Access Denied

I’ve set up a managed identity that has 4 federated credentials for the https://api.pulumi.com/oidc issuer, along with subject identifiers such as : pulumideployorgeffectiveflowprojectvpn gwstackdevoperationupdatescope:write - but when I run the deployment for “update”, while the app builds - when it comes to do stuff in azure, I see this in the logs: error: OIDC authentication was requested via useOidc/ARM_USE_OIDC but no token and/or any idea how I might discover whats wrong with the configuration?

@lemon-agent-27707 Biggest challenges for now • gcloud install is super slow. I need the following pre start script to make it work (the base code is from the pulumi version from 2018 so might be outdated, but a gke k8s cluster needs these packages + the creds magic to connect)

sh -c "$(curl --location <https://taskfile.dev/install.sh>)" -- -d -b .bin
curl -sLS <https://get.arkade.dev> | sh
arkade get yq
mv /root/.arkade/bin/yq /usr/local/bin/ 
./.bin/task codegen:charts
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] <https://packages.cloud.google.com/apt> cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
curl <https://packages.cloud.google.com/apt/doc/apt-key.gpg> | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - 
apt-get update
apt-get install google-cloud-sdk google-cloud-sdk-gke-gcloud-auth-plugin
echo "$GOOGLE_CREDENTIALS" > creds.json
gcloud auth activate-service-account --key-file=creds.json

• i prefer to put my secrets in the pulumi config, but for AWS just setting the accessKey and secret in there does not work, so i have to add the env vars in the UI • i have not pulumified the deployments setup, but i would love to set up deployments and the webhooks up at a project level, as my projects are 10-20 stacks of the same things (e.g. clusters in different cloud providers in different regions)

Oh, a stackname env var would also be cool, i'm trying to get a value from the config but it says no stack selected and printenv does not expose anything related to the stack for the run

Hello Team, I am currently working on a project to design a CI/CD process for managing account-level database objects (such as users, roles, databases) using Pulumi. To refine our approach, I'm looking for insights from those who have experience with similar projects. Could you kindly share the Git workflows you have found to be most effective for this task? Additionally, I'm curious about the branching strategies that have worked well in your experience. Your recommendations and shared experiences will greatly contribute to the effectiveness of this project. I truly appreciate your time and assistance.

I’m having a new issue when running my Github Actions with Pulumi (Image Attached) I haven’t seen this before. Do I need to configure my Deployment in Pulumi UI to include ENVs for AWS? The Github Action was working fine just yesterday without these variables

I’ve had an excellent experience with deployments so far 🙂 Great docs. Smooth sailing. 👍🏻

Best way to get the status of the latest deployment?

I’m looking to switch from building my containers as part of Github Actions to Pulumi deployments. It’s a little unclear to me if this will automatically build the image and what it will do if the image fails to build

const customImage = new docker.Image("customImage", {
  imageName: `${registry.server}/${imageName}`,
  build: {
    context: "./path/to/your/dockerfile",
  },
  registry: {
    server: registry.server,
    username: registry.username,
    password: registry.password,
  },
});

Announcing Review Stacks - powered by Pulumi Deployments 🚀 https://pulumi-community.slack.com/archives/CB36DSVSA/p1686759675815729

Clicking the “Set up your webhook integration.” link in a stack created by a deployment results in a 404.

How do you set stack config values when creating a deployment? Adding

pulumi config

cli calls in the pre-run commands?

Hi there, I've been digging into Review Stacks since the announcement this week and I was wondering if there were recommendations for supporting a multi-project preview (will thread details)

We just launched support for dependent stack updates via Pulumi Deployments. You can now configure automated Deployments to keep stack references up to date 🚀 https://pulumi-community.slack.com/archives/CB36DSVSA/p1687280202924809

I’ve consistently been getting then error when using the github action with the

up

command. I’m only running on command at a time on the project and stack.

Guessing my configuration is wrong. Action looks like this

jobs:
  deploy:
    name: Deploy Development
    runs-on: ubuntu-latest
    environment: dev
  
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 16
         
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}
      
      - name: Install Dependencies
        run: |
          cd sync-driver-auth-service
          yarn install 
          cd ../sync-service-cr-creator
          yarn install
          cd ../sync-service-cr-resolver
          yarn install
          cd ../sync-service-streamos-sync
          yarn install
          cd ../sync-service-webhook-service
          yarn install
      - run: npm install
        working-directory: infrastructure
      - uses: pulumi/actions@v3
        with:
          command: up
          stack-name: dev 
          work-dir: infrastructure
        env:
          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}

hi, I wonder if someone can help me. I'm trying to login to GCP with SA but getting bellow error. What I do wrong?

pulumi  version
v3.73.0

export GOOGLE_APPLICATION_CREDENTIALS=$(cat key.json)

✅

echo $GOOGLE_APPLICATION_CREDENTIALS

✅

echo $GOOGLE_APPLICATION_CREDENTIALS | jq .

✅

gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS

✅

pulumi config set gcp:project <redacted>

❌

error: missing google credentials: unable to find gcp credentials: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: open {
  "type": "service_account",
  "project_id": "redacted",
  "private_key_id": "redacted",
  "private_key": "-----BEGIN PRIVATE KEY-----\redacted\n-----END PRIVATE KEY-----\n",
  "client_email": "redacted@redacted",
  "client_id": "redacted",
  "auth_uri": "redacted",
  "token_uri": "redacted",
  "auth_provider_x509_cert_url": "redacted",
  "client_x509_cert_url": "redacted",
  "universe_domain": "redacted"
}: file name too long

pulumi config set --secret gcp:credentials ./key.json

❌

error: missing google credentials: unable to find gcp credentials: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: open {
  "type": "service_account",
  "project_id": "redacted",
  "private_key_id": "redacted",
  "private_key": "-----BEGIN PRIVATE KEY-----\redacted\n-----END PRIVATE KEY-----\n",
  "client_email": "redacted@redacted",
  "client_id": "redacted",
  "auth_uri": "redacted",
  "token_uri": "redacted",
  "auth_provider_x509_cert_url": "redacted",
  "client_x509_cert_url": "redacted",
  "universe_domain": "redacted"
}: file name too long

--------------- --------------- In my CICD Im using:

pulumi config set gcp:credentials ${GOOGLE_APPLICATION_CREDENTIALS}
pulumi login <gs://bucket>

s there a bug in Pulumi as I get an error:

error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions

set the channel topic: Pulumi Deployments: https://www.pulumi.com/docs/pulumi-cloud/deployments/

set the channel topic: https://www.pulumi.com/docs/pulumi-cloud/deployments/