I previously had awskms secrets providers working,...
# aws
I previously had awskms secrets providers working, but today they suddenly stopped working (I'm sure due to something I changed), but I haven't been able to figure it out. Even though I am specifying
profile=<profile name>&awssdk=v2
in the query parameters, it is falling back to IMDS to try and authenticate resulting in
Copy code
error: constructing secrets manager of type "cloud": secrets (code=Unknown): operation error KMS: Decrypt, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via client option, or "AWS_EC2_METADATA_DISABLED" environment variable
I've triple checked that the profile name matches, made sure that I'm logged in through the AWS CLI, reinstalled pulumi, reinstalled aws cli. If I call
aws kms decrypt --ciphertext-blob <the blob> --profile=<profile name>
, it works as expected. I'm not really sure what else to check at this point but I'm getting fairly desperate to reach my infra
Adding more confusion,
pulumi config --show-secrets
works but
pulumi up
fails with the same message as above
This also only applies to some stacks (even within the same project) that have identical secretsproviders...
Ah, I didn't realize the previous provider was serialized into the stack 🤦