No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

If I set my AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as environment variables, the error does not appear

I believe this is telling you that the S3 bucket has encryption enabled, and either the role you’re using or the kms policy means you can’t access the key

<@UCWG26BH7> - It works if I provide the AWS credentials as env vars before running pulumi up

my question is more or less, should I provide additional config somewhere to determine which profile to use when running pulumi up where multiple profiles are required between environments?

logging in to the backend state with the aforementioned command seems to work, but the actual evaluation of the state / resource creation is failing, because i believe the wrong credentials are being utilized.

note, I have "aws:profile" set in the stack config

the stack configuration and the auth data for the s3 bucket are different, they run in different processes

both are set, but I still get the ciphertext error unless I explicitly set the ENV vars

if your profile is correct, just provider `AWS_PROFILE=foo pulumi up`

&gt; where multiple profiles are required between environments
the things to remember here are:

• the provider configuration and the state configuration are separate and authenticate distinctly. Your aws profile being set in the provider config doesn’t affect the state storage bucket configuration
• if you’re storing your state in profile A but want to use profile B, you’ll need to provide both those credentials to pulumi 

Yes, I understand that - but it appears that regardless of aws:profile config setting, it's not utilizing profile credentials.  The pulumi up command works if I provide the AWS_* environment variables, but not if I only rely on the aws:profile.

you mean `aws:profile` in the stack configuration?

again, that won’t work for state writes. as i said here:

&gt; the provider configuration and the state configuration are separate and authenticate distinctly. Your aws profile being set in the provider config doesn’t affect the state storage bucket configuration
if you do `export AWS_PROFILE=` it should work

Oh, okay. I get it now.  Sorry, I'm dense, lol

not at all, it’s tricky having them be separate processes, but it’s because the pulumi providers talk to the pulumi engine over grpc on localhost, so they’re separate entities

Cool - thanks for your help :slightly_smiling_face: