curved-kitchen-24115
04/20/2023, 9:47 PMAWS_PROFILE=admin pulumi up -s <org>/<stack>
(locally) to an environment where the instances we run on have the permissions the admin profile had as part of their instance profile.
Now when we run pulumi up -s <org>/<stack>
we get the following printed to our terminal: The config profile (admin) could not be found
. At no point have we done pulumi config set aws:profile admin -s <org>/<stack>
- so I’m pretty confused as to why this is showing up in the terminal.
The message itself is definitely from the AWS SDK (this is well documented on the web). What’s not clear to me what part of pulumi is informing the SDK that the profile admin
(specifically) is the correct profile. I’ve run pulumi config get -s <org>/<stack>
for all of our stacks that use the AWS provider and I can confirm aws:profile
is not present in any of them.
Is anyone able to point me in the right direction to either silence this message, or determine whether it is a problem?pulumi up
and pulumi down
, without error - so in that regard this seems to be spurious.
However the message is also popping up in our github actions CI/CD flow (using pulumi/actions@v4) and there we’re seeing more permissions related issues - so I’m trying to nail down what the cause may be.little-cartoon-10569
04/20/2023, 9:56 PMpulumi up
with no profile set, it'll presumably use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, and if they're available in multiple environments, it'll work.curved-kitchen-24115
04/20/2023, 9:58 PMlittle-cartoon-10569
04/20/2023, 9:59 PMup
, Pulumi will create an AWS provider object and serialize that in your stack. That will include the credentials or auth method. If there's no details saved in there, it'll fall back to no-creds each time, which seems to be what you're expecting. But if there are creds saved in there (such as the value of the AWS profile), then it'll keep using them.pulumi stack export --file stack.json
will create an export, then you can view it in your favourite JSON viewer and look for the AWS provider.curved-kitchen-24115
04/20/2023, 10:01 PMwhich seems to be what you’re expectingcorrect. Is there a way to change this?
little-cartoon-10569
04/20/2023, 10:01 PMpulumi down
first, then making the changes. This will be easiest.curved-kitchen-24115
04/20/2023, 10:04 PMlittle-cartoon-10569
04/20/2023, 10:04 PMcurved-kitchen-24115
04/20/2023, 10:04 PM{
"urn": "urn:pulumi:software::eks::pulumi:providers:aws::default_5_35_0",
"custom": true,
"id": "a5516725-ff11-4fed-a721-770cbb09b1ab",
"type": "pulumi:providers:aws",
"inputs": {
"region": "us-east-1",
"version": "5.35.0"
},
"outputs": {
"region": "us-east-1",
"version": "5.35.0"
},
// ... snip ...
{
"urn": "urn:pulumi:software::eks::pulumi:providers:aws::default_5_16_2",
"custom": true,
"id": "383a4162-ae02-4537-8e19-4a46bd2baaf3",
"type": "pulumi:providers:aws",
"inputs": {
"region": "us-east-1",
"version": "5.16.2"
},
"outputs": {
"region": "us-east-1",
"version": "5.16.2"
},
"created": "2023-04-03T17:01:29.852016463Z",
"modified": "2023-04-03T17:01:29.852016463Z"
},
little-cartoon-10569
04/20/2023, 10:05 PMcurved-kitchen-24115
04/20/2023, 10:05 PMlittle-cartoon-10569
04/20/2023, 10:07 PMcurved-kitchen-24115
04/20/2023, 10:08 PM@pulumi/eks
(typescript) does this on our behalf 😕little-cartoon-10569
04/20/2023, 10:08 PMcurved-kitchen-24115
04/20/2023, 10:09 PMlittle-cartoon-10569
04/20/2023, 10:09 PMcurved-kitchen-24115
04/20/2023, 10:09 PMlittle-cartoon-10569
04/20/2023, 10:09 PMcurved-kitchen-24115
04/20/2023, 10:10 PMlittle-cartoon-10569
04/20/2023, 10:11 PMcurved-kitchen-24115
04/20/2023, 10:22 PM@pulumi/eks
package has an output of kubeconfig; it will record any environment variables that pulumi is called with. So by re-running it without AWS_PROFILE=admin
the output no longer records that env var.