I'm trying the new pulumi CLI 3.33.1 featuer of lo...
# generalm
magnificent-smartphone-40853
07/03/2023, 4:13 PMI'm trying the new pulumi CLI 3.33.1 featuer of logging in to a AWS s3 backend state by adding awssdk=v2 to my login command:
pulumi login 's3://my-bucket-here?region=us-east-1&awssdk=v2&profile=my-profile-here'
Logged in to MY-DESKTOP as MY-DESKTOP\my-user(s3://my-bucket-here?region=us-east-1&awssdk=v2&profile=my-profile-here)I'm getting the following error when running `pulumi up`:
AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.Am I missing something?
magnificent-smartphone-40853
07/03/2023, 4:17 PMIf I set my AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as environment variables, the error does not appear
b
billowy-army-68599
07/03/2023, 4:55 PM
I believe this is telling you that the S3 bucket has encryption enabled, and either the role you’re using or the kms policy means you can’t access the key
m
magnificent-smartphone-40853
07/03/2023, 5:03 PM@billowy-army-68599 - It works if I provide the AWS credentials as env vars before running pulumi up
magnificent-smartphone-40853
07/03/2023, 5:05 PMmy question is more or less, should I provide additional config somewhere to determine which profile to use when running pulumi up where multiple profiles are required between environments?
logging in to the backend state with the aforementioned command seems to work, but the actual evaluation of the state / resource creation is failing, because i believe the wrong credentials are being utilized.
magnificent-smartphone-40853
07/03/2023, 5:07 PMnote, I have "aws:profile" set in the stack config
b
billowy-army-68599
07/03/2023, 5:19 PM
the stack configuration and the auth data for the s3 bucket are different, they run in different processes
billowy-army-68599
07/03/2023, 5:19 PM
so yes, y6ou need to provide them both
m
magnificent-smartphone-40853
07/03/2023, 5:27 PMboth are set, but I still get the ciphertext error unless I explicitly set the ENV vars
b
billowy-army-68599
07/03/2023, 5:30 PM
if your profile is correct, just provider
AWS_PROFILE=foo pulumi upbillowy-army-68599
07/03/2023, 5:32 PM
where multiple profiles are required between environmentsthe things to remember here are: • the provider configuration and the state configuration are separate and authenticate distinctly. Your aws profile being set in the provider config doesn’t affect the state storage bucket configuration • if you’re storing your state in profile A but want to use profile B, you’ll need to provide both those credentials to pulumi
m
magnificent-smartphone-40853
07/03/2023, 5:34 PMYes, I understand that - but it appears that regardless of aws:profile config setting, it's not utilizing profile credentials. The pulumi up command works if I provide the AWS_* environment variables, but not if I only rely on the aws:profile.
b
billowy-army-68599
07/03/2023, 5:36 PM
you mean
aws:profilem
magnificent-smartphone-40853
07/03/2023, 5:36 PMright
b
billowy-army-68599
07/03/2023, 5:37 PM
again, that won’t work for state writes. as i said here:
the provider configuration and the state configuration are separate and authenticate distinctly. Your aws profile being set in the provider config doesn’t affect the state storage bucket configurationif you do
export AWS_PROFILE=m
magnificent-smartphone-40853
07/03/2023, 5:39 PMOh, okay. I get it now. Sorry, I'm dense, lol
b
billowy-army-68599
07/03/2023, 5:40 PM
not at all, it’s tricky having them be separate processes, but it’s because the pulumi providers talk to the pulumi engine over grpc on localhost, so they’re separate entities
m
magnificent-smartphone-40853
07/03/2023, 5:42 PMCool - thanks for your help 🙂
8 Views