https://pulumi.com logo
Title
a

adventurous-egg-60548

04/11/2023, 1:59 PM
Hello, I've been banging my head on this stack deployment for quite some time. I've tried using both "aws configure" (credential file) and separately "aws sso configure" (config file). Also tried exporting credentials to environment but with no luck. I attempting to deploy this stack here: https://docs.marlin.org/docs/User%20Guides/Oyster/quickstart-provider/preliminaries I'm utilizing a user with AdministratorAccess. After signing into my name SSO profile the credentials are cached into the ~.aws/sso/cache dir but the json file the pulumi stack is looking for doesn't match the cached sso credential json. Also happy to share --debug log as well as I have noticed on previous attempts that it would appear the credentials were being utilized but would occasionally run into we using only the credentials file vs sso config file, http response error 404 and 403 Thanks!!
~/oyster-setup-aws$ AWS_PROFILE=Geko pulumi up
Enter your passphrase to unlock config/secrets (set PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE to remember): Previewing update (claver): Type Name Plan Info + pulumi😛ulumi:Stack oyster-claver create + ├─ pulumi😛roviders:aws ap-east-1 create + ├─ pulumi😛roviders:aws eu-central-1 create + ├─ pulumi😛roviders:aws eu-north-1 create + ├─ pulumi😛roviders:aws ap-northeast-2 create + ├─ pulumi😛roviders:aws eu-south-1 create + ├─ pulumi😛roviders:aws ap-south-1 create + ├─ pulumi😛roviders:aws us-west-2 create + ├─ pulumi😛roviders:aws ap-southeast-1 create + ├─ pulumi😛roviders:aws us-east-2 create + ├─ pulumi😛roviders:aws eu-west-3 create + ├─ pulumi😛roviders:aws us-east-1 create + ├─ pulumi😛roviders:aws eu-west-2 create + ├─ pulumi😛roviders:aws ap-southeast-2 create + ├─ pulumi😛roviders:aws eu-west-1 create + ├─ pulumi😛roviders:aws ca-central-1 create + ├─ pulumi😛roviders:aws us-west-1 create ├─ aws:ec2:Vpc oyster-ap-east-1-vpc 1 error + └─ pulumi😛roviders:aws ap-northeast-1 create Diagnostics: aws:ec2:Vpc (oyster-ap-east-1-vpc): error: unable to validate AWS credentials. Details: no valid credential sources for found. Please see for more information about providing credentials. Error: failed to refresh cached credentials, the SSO session has expired or is invalid: open /home/ubuntu/.aws/sso/cache/ca6b7ecb335b182996968041cb3d515fc456c94e.json: no such file or directory
b

billowy-army-68599

04/11/2023, 2:04 PM
@adventurous-egg-60548 does
aws sts get-caller-identity
return a valid arn? what environment variables do you have set?
env | grep AWS_
a

adventurous-egg-60548

04/11/2023, 2:18 PM
Currently I have SSO set. I am logged in via
aws sso login --profile Geko
~/oyster-setup-aws$ aws sts get-caller-identity
Unable to locate credentials. You can configure credentials by running "aws configure".
b

billowy-army-68599

04/11/2023, 2:42 PM
what about
aws sts get-caller-identity --profile Geko
a

adventurous-egg-60548

04/11/2023, 2:44 PM
Yes it returns a valid ARN
arn:aws:iam::*************:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess/Geko I added asterisks where org ID would be Also in the IAM aws console shows last activity for arn around the time I logged in to sso profile
b

billowy-army-68599

04/11/2023, 3:00 PM
okay, set
export AWS_PROFILE=Geko
and then try rerun pulumi
a

adventurous-egg-60548

04/11/2023, 3:04 PM
Same error occurs: aws:ec2:Vpc (oyster-ap-south-1-vpc): error: unable to validate AWS credentials. Details: no valid credential sources for found. Please see for more information about providing credentials. Error: failed to refresh cached credentials, the SSO session has expired or is invalid: open /home/ubuntu/.aws/sso/cache/ca6b7ecb335b182996968041cb3d515fc456c94e.json: no such file or directory
b

billowy-army-68599

04/11/2023, 3:17 PM
If you set that env var and rerun aws sso login
Also, what’s in your Pulumi stack configuration?
a

adventurous-egg-60548

04/11/2023, 3:22 PM
debug: Using shared credentials files from configuration: ["/home/ubuntu/.aws/credentials"] debug: Using shared configuration files from configuration: "/home/ubuntu/.aws/config" debug: Using profile from configuration: "Geko" debug: RegisterResource RPC prepared: t=pulumi😛roviders:aws, name=ap-southeast-2 debug: RegisterResource RPC prepared: t=pulumi😛roviders:aws, name=ap-east-1 debug: RegisterResourceOutputs RPC prepared: urn=urn😛ulumi:clave:🦪😛ulumi:pulumi:Stack::oyster-clave debug: RegisterResource RPC finished: resource:ap-south-1[pulumi:providers:aws]; err: null, resp: urn😛ulumi:clave:🦪😛ulumi:providers:aws::ap-south-1,,region,,,ap-south-1,skipCredentialsValidation,,,false,skipMetadataApiCheck,,,true,skipRegionValidation,,,true,version,,,5.27.0,, debug: RegisterResource RPC prepared: t=aws:ec2/vpc:Vpc, name=oyster-ap-south-1-vpc I also get a similar debug message for the remaining AWS:EC2:VPC resources oyster-eu-central-1-vpc oyster-ca-central-1-vpc oyster-us-east-2-vpc oyster-ap-southeast-2-vpc oyster-us-west-2-vpc oyster-eu-north-1-vpc oyster-eu-west-3-vpc oyster-eu-west-1-vpc oyster-ap-southeast-1-vpc oyster-ap-east-1-vpc
Pulumi.yaml file: name: oyster description: Marlin Oyster runtime: nodejs Pulumi.clave.yaml (stack attempting to deploy) encryptionsalt:v1:********** Asterisk represents a large string of letter and numbers.
b

billowy-army-68599

04/11/2023, 3:25 PM
there’s no profile set in your
Pulumi.clave.yaml
?
a

adventurous-egg-60548

04/11/2023, 3:26 PM
I've set the profile numerous times before when attempting to deploy the stack. Doesn't help
Ill try again though
Same error as before with
config:
aws:profile: Geko
set inside yaml file
b

billowy-army-68599

04/11/2023, 3:41 PM
something is clearly amiss 😞 hard to determine what’s going on I’m afraid. you could try https://github.com/jaxxstorm/aws-sso-creds to get a temporary aws access key, secret key and session token from your SSO profile
a

adventurous-egg-60548

04/11/2023, 3:46 PM
Thanks Jaxx Ill give it a shot, thanks for your time!