https://pulumi.com logo
#general
Title
# general
m

magnificent-smartphone-40853

07/03/2023, 4:13 PM
I'm trying the new pulumi CLI 3.33.1 featuer of logging in to a AWS s3 backend state by adding awssdk=v2 to my login command:
pulumi login 's3://my-bucket-here?region=us-east-1&awssdk=v2&profile=my-profile-here'
Logged in to MY-DESKTOP as MY-DESKTOP\my-user(s3://my-bucket-here?region=us-east-1&awssdk=v2&profile=my-profile-here)
I'm getting the following error when running `pulumi up`:
AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
Am I missing something?
If I set my AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as environment variables, the error does not appear
b

billowy-army-68599

07/03/2023, 4:55 PM
I believe this is telling you that the S3 bucket has encryption enabled, and either the role you’re using or the kms policy means you can’t access the key
m

magnificent-smartphone-40853

07/03/2023, 5:03 PM
@billowy-army-68599 - It works if I provide the AWS credentials as env vars before running pulumi up
my question is more or less, should I provide additional config somewhere to determine which profile to use when running pulumi up where multiple profiles are required between environments? logging in to the backend state with the aforementioned command seems to work, but the actual evaluation of the state / resource creation is failing, because i believe the wrong credentials are being utilized.
note, I have "aws:profile" set in the stack config
b

billowy-army-68599

07/03/2023, 5:19 PM
the stack configuration and the auth data for the s3 bucket are different, they run in different processes
so yes, y6ou need to provide them both
m

magnificent-smartphone-40853

07/03/2023, 5:27 PM
both are set, but I still get the ciphertext error unless I explicitly set the ENV vars
b

billowy-army-68599

07/03/2023, 5:30 PM
if your profile is correct, just provider
AWS_PROFILE=foo pulumi up
where multiple profiles are required between environments
the things to remember here are: • the provider configuration and the state configuration are separate and authenticate distinctly. Your aws profile being set in the provider config doesn’t affect the state storage bucket configuration • if you’re storing your state in profile A but want to use profile B, you’ll need to provide both those credentials to pulumi
m

magnificent-smartphone-40853

07/03/2023, 5:34 PM
Yes, I understand that - but it appears that regardless of aws:profile config setting, it's not utilizing profile credentials. The pulumi up command works if I provide the AWS_* environment variables, but not if I only rely on the aws:profile.
b

billowy-army-68599

07/03/2023, 5:36 PM
you mean
aws:profile
in the stack configuration?
m

magnificent-smartphone-40853

07/03/2023, 5:36 PM
right
b

billowy-army-68599

07/03/2023, 5:37 PM
again, that won’t work for state writes. as i said here:
the provider configuration and the state configuration are separate and authenticate distinctly. Your aws profile being set in the provider config doesn’t affect the state storage bucket configuration
if you do
export AWS_PROFILE=
it should work
m

magnificent-smartphone-40853

07/03/2023, 5:39 PM
Oh, okay. I get it now. Sorry, I'm dense, lol
b

billowy-army-68599

07/03/2023, 5:40 PM
not at all, it’s tricky having them be separate processes, but it’s because the pulumi providers talk to the pulumi engine over grpc on localhost, so they’re separate entities
m

magnificent-smartphone-40853

07/03/2023, 5:42 PM
Cool - thanks for your help 🙂
3 Views