https://pulumi.com logo
Title
c

curved-kitchen-24115

04/20/2023, 9:47 PM
we’ve recently migrated from an in environment where we’d run
AWS_PROFILE=admin pulumi up -s <org>/<stack>
(locally) to an environment where the instances we run on have the permissions the admin profile had as part of their instance profile. Now when we run
pulumi up -s <org>/<stack>
we get the following printed to our terminal:
The config profile (admin) could not be found
. At no point have we done
pulumi config set aws:profile admin -s <org>/<stack>
- so I’m pretty confused as to why this is showing up in the terminal. The message itself is definitely from the AWS SDK (this is well documented on the web). What’s not clear to me what part of pulumi is informing the SDK that the profile
admin
(specifically) is the correct profile. I’ve run
pulumi config get -s <org>/<stack>
for all of our stacks that use the AWS provider and I can confirm
aws:profile
is not present in any of them. Is anyone able to point me in the right direction to either silence this message, or determine whether it is a problem?
Running locally in this new environment I can certainly
pulumi up
and
pulumi down
, without error - so in that regard this seems to be spurious. However the message is also popping up in our github actions CI/CD flow (using pulumi/actions@v4) and there we’re seeing more permissions related issues - so I’m trying to nail down what the cause may be.
l

little-cartoon-10569

04/20/2023, 9:56 PM
The provider saved in your stack knows which profile it was created with. It won't use another one.
If you run
pulumi up
with no profile set, it'll presumably use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, and if they're available in multiple environments, it'll work.
Even if their values are different
c

curved-kitchen-24115

04/20/2023, 9:58 PM
@little-cartoon-10569 in our case the values are coming from the AWS instance metadata api
which is what the SDK should fall back to
l

little-cartoon-10569

04/20/2023, 9:59 PM
When you first run
up
, Pulumi will create an AWS provider object and serialize that in your stack. That will include the credentials or auth method. If there's no details saved in there, it'll fall back to no-creds each time, which seems to be what you're expecting. But if there are creds saved in there (such as the value of the AWS profile), then it'll keep using them.
You can export your Pulumi stack and see what the values in your AWS provider are.
pulumi stack export --file stack.json
will create an export, then you can view it in your favourite JSON viewer and look for the AWS provider.
c

curved-kitchen-24115

04/20/2023, 10:01 PM
which seems to be what you’re expecting
correct. Is there a way to change this?
l

little-cartoon-10569

04/20/2023, 10:01 PM
Here a redacted version of one of mine.
You can see the profile is saved in there
The correct way to ensure that default credentials are used is to explicitly create the AWS provider with no profile or key properties, so that the SDK has to do its thing.
Then you need to use that provider everywhere.
If you're able to, I'd recommend running
pulumi down
first, then making the changes. This will be easiest.
If you need to resources to remain in the cloud, then you'll probably have to edit the stack manually. There may be another way to do it, but I don't know.
c

curved-kitchen-24115

04/20/2023, 10:04 PM
looking through the stack output I do not see inputs.profile or output.profile
l

little-cartoon-10569

04/20/2023, 10:04 PM
That said, I recommend not falling back to letting the SDK do its thing. This is risky.
c

curved-kitchen-24115

04/20/2023, 10:04 PM
{
                "urn": "urn:pulumi:software::eks::pulumi:providers:aws::default_5_35_0",
                "custom": true,
                "id": "a5516725-ff11-4fed-a721-770cbb09b1ab",
                "type": "pulumi:providers:aws",
                "inputs": {
                    "region": "us-east-1",
                    "version": "5.35.0"
                },
                "outputs": {
                    "region": "us-east-1",
                    "version": "5.35.0"
                },
// ... snip ...
            {
                "urn": "urn:pulumi:software::eks::pulumi:providers:aws::default_5_16_2",
                "custom": true,
                "id": "383a4162-ae02-4537-8e19-4a46bd2baaf3",
                "type": "pulumi:providers:aws",
                "inputs": {
                    "region": "us-east-1",
                    "version": "5.16.2"
                },
                "outputs": {
                    "region": "us-east-1",
                    "version": "5.16.2"
                },
                "created": "2023-04-03T17:01:29.852016463Z",
                "modified": "2023-04-03T17:01:29.852016463Z"
            },
l

little-cartoon-10569

04/20/2023, 10:05 PM
Ah. That looks correct for what you want.
So I don't know why it's looking for the admin profile. Are you in the right project and stack when you run the stack export?
c

curved-kitchen-24115

04/20/2023, 10:05 PM
there is one place where “admin” shows up - let me grab that snippet
oh, interesting
it shows up in a kubernetes related context; where the kubernetes provider has been told to use AWS_PROFILE=admin
l

little-cartoon-10569

04/20/2023, 10:07 PM
Aha. Looks like you've got a winner.
c

curved-kitchen-24115

04/20/2023, 10:08 PM
it looks as though
@pulumi/eks
(typescript) does this on our behalf 😕
l

little-cartoon-10569

04/20/2023, 10:08 PM
You can probably create the EKS provider explicitly to do what you need it to. Let me check the API.
c

curved-kitchen-24115

04/20/2023, 10:09 PM
I think it has just recorded the environment in which it was run
l

little-cartoon-10569

04/20/2023, 10:09 PM
Nope. Zero parameters in the EKS provider.
Weird.
c

curved-kitchen-24115

04/20/2023, 10:09 PM
as opposed to it being a provider arg explicitly
l

little-cartoon-10569

04/20/2023, 10:09 PM
Sorry, the "nope" was a response to "You can probably create..."
c

curved-kitchen-24115

04/20/2023, 10:10 PM
I understood your context 👍🏼
I’m going to run an up, and I feel like that’ll make this problem go away.
“problem”; as I said, it seems spurious
l

little-cartoon-10569

04/20/2023, 10:11 PM
Good. But if that doesn't work, this will be a bit tough to sort. You can rework your code to use AWS instead of EKS...
c

curved-kitchen-24115

04/20/2023, 10:22 PM
OK, confirmed
The
@pulumi/eks
package has an output of kubeconfig; it will record any environment variables that pulumi is called with. So by re-running it without
AWS_PROFILE=admin
the output no longer records that env var.