https://pulumi.com logo
Title
b

big-jordan-24260

05/22/2023, 2:48 PM
Hi I’m trying to understand the issue reported by this error message pulumi😛roviders:aws (default): error: rpc error: code = Unknown desc = unable to validate AWS credentials. Details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 0, RequestID: , request send failed, Post “https://sts.eu-west-1.amazonaws.com/”: dial tcp: lookup sts.eu-west-1.amazonaws.com on [2001:8a0:7b3f:f500::1]:53: no such host Make sure you have set your AWS region, e.g.
pulumi config set aws:region us-west-2
. This is result of pulumi up --debug Context: The environment variables for AWS are set, and ‘aws s3 ls’ returns the list of buckets. The stack is selected. Can someone point me to the right direction on this? Thanks in advance
s

stocky-restaurant-98004

05/22/2023, 5:55 PM
Are you creating an explicit provider (
new aws.Provider
in TS) instead of using the default?
b

big-jordan-24260

05/22/2023, 5:55 PM
No.
This is quite strange, the change of behaviour was from one day to another, the operation that is giving me this error is pulumi up
The same with pulumi refresh
s

stocky-restaurant-98004

05/22/2023, 5:56 PM
Ah, "no such host"... hmm. What happens if you try to curl that URL?
b

big-jordan-24260

05/22/2023, 5:56 PM
Open AWS page
s

stocky-restaurant-98004

05/22/2023, 5:57 PM
Yeah, I'm seeing the same.
b

big-jordan-24260

05/22/2023, 6:00 PM
Not sure if pulumi does any kind of test but if I run pulumi login against the s3 bucket is goes successful …
s

stocky-restaurant-98004

05/22/2023, 6:12 PM
OH
Are you using S3 to store your state file?
b

big-jordan-24260

05/22/2023, 6:12 PM
I’m trying to, yes
but this situation was also happening with pulumi cloud as a backend
That’s why I’ve moved to S3
s

stocky-restaurant-98004

05/22/2023, 6:14 PM
You shouldn't have to store your state file in S3 unless you want to. Pulumi should never give you an AWS-related message that is not related to the program itself unless you're using AWS for secrets or state file storage.
b

big-jordan-24260

05/22/2023, 6:24 PM
Sorry, I’m a little bit lost here, (also a new to pulumi), from my understand the sts phase if for allowing the deploy of the stack into the provider, so why secrets here, unless I’ve had enable some feature within pulumi without knowing
If is for fetching the state file, then the export and import did not went well…
s

stocky-restaurant-98004

05/22/2023, 6:26 PM
STS would never get hit if you were using Pulumi Cloud as your backend and were not creating AWS resources.
b

big-jordan-24260

05/22/2023, 6:26 PM
Can I delete the state file from the bucket and make a recovery with the resource already created?
s

stocky-restaurant-98004

05/22/2023, 6:28 PM
You should be able to recreate any resources using
pulumi import
if you delete your state file, but you should delete your state file only as a last resort. If possible tear down the stack (
pulumi destroy
) rather than deleting the state file.
b

big-jordan-24260

05/22/2023, 6:28 PM
I can go back and import the state file into pulumi cloud again, if that’s the problem…. but that was my previous setup when this messages started to popup and preventing the deploy of resources
Yeah, more or less, one of the resources that I built was an member account of the organization, and deleting that is a mess in AWS!
s

stocky-restaurant-98004

05/22/2023, 6:29 PM
If you're learning Pulumi, it's best to stick with Pulumi Cloud as your backend. It's free for individual use forever, and it's easier than managing state file or secrets yourself.
b

big-jordan-24260

05/22/2023, 6:29 PM
And since that fails, the rest will fail also
I understand that point, but having the state file out of a controlled environment is hard to sell to security …
s

stocky-restaurant-98004

05/22/2023, 6:30 PM
Yeah, accounts in AWS do not play so well with IaC because they can't be deleted in the same way. I recommend that you create AWS accounts outside of Pulumi (or any other IaC tool) and then use creds for the new account to mange resources.
Pulumi is SOC2 compliant for what it's worth, but as long as you're learning how to use Pulumi on your own and it's ok with your organization, use Pulumi Cloud just to get comfortable with writing Pulumi programs. When you're looking at organizational adoption, then try using S3/KMS for statefile/secrets.
b

big-jordan-24260

05/22/2023, 6:32 PM
ok
Thank for the help! Awesome