https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# aws
s
This message was deleted.
m
Does the following work with your profile?
Copy code
aws --profile my-profile sts get-caller-identity
b
Copy code
$ aws --profile my-profile sts get-caller-identity
{   
    "UserId": "XXXXXXXXXXXXXXXX:botocore-session-1234567890",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/my-profile-role/botocore-session-1234567890"
}
yeah, returns what you'd expect, yet pulumi preview/up throws the 403 error
Copy code
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
$(aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/my-profile-role \
--role-session-name MySessionName \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text))
running this before the pulumi cmd does work
m
How are you managing your Pulumi state? self-hosted or the Pulumi service?
b
in a cloud storage bucket(using pulumi for GCP for over a year and now venturing into AWS)
m
Sorry, your state backend for this AWS deployment is managed in GCP or is it in AWS as well?
b
s3 for AWS 🙂
Copy code
pulumi login <s3://my-pulumi-bucket?profile=my-profile>
this is the login cmd and it works fine
m
Okay, that's the question I was leading towards, whether your pulumi bucket was declared in in the backend of your 
Pulumi.yaml
Try adding this to it, replacing your region
Copy code
?region=us-east-1&awssdk=v2
you can also validate that you're successfully communicating with the state bucket with:
Copy code
pulumi whoami
b
theres no issue with the login cmd, can do stack select etc after it. It's purely with up/preview/destroy not asuming the role
m
Alright
What fields do you use in your aws profile? Are they all supported by the provider? e.g. 
mfa_serial
is not
b
no MFA on this, all profiles are like so:
Copy code
[profile my-profile]
source_profile=default
role_arn = arn:aws:iam::123456789012:role/my-profile-role
output = json
region = ap-northeast-1
m
That looks okay. You could try specifying an explicit provider if you aren't already, and passing that in the opts of your resource declarations.
or try explicitly adding an 
sts_region
to your profile
b
I've set AWS_REGION in the env as sts complained without it. Just find it odd that with boto/aws cli the way my config/credentials are setup work without issue, and for pulumi to use them I have to run the assume-role/export cmd above (so its not really using them, I'm forcing it around them)
m
If you're using the latest MAJOR AWS provider, you should be aware that there was a breaking change in the underlying terraform provider. You cannot expect environment variables to override profile values like you could in the previous version.
b
Thanks for the info. Ideally I'd like to not have to set env vars but when I add these values to the pulumi config yaml I get the same false error. The only way I've gotten pulumi to work is by exporting the results from the sts cmd as env vars
3 Views
Open in Slack
PreviousNext
Powered by