https://pulumi.com logo
s

salmon-hair-39994

07/10/2023, 10:22 PM
hello, any ideas how to pass two different provider config for different region in pulumi go project? was tried the
aws.ProviderArgs
, but keep getting the error like below
Copy code
error: 1 error occurred:\n    \t* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.\n    \n    Please see <https://registry.terraform.io/providers/hashicorp/aws>\n    for more information about providing credentials.\n    \n    Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via client option, or \"AWS_EC2_METADATA_DISABLED\" environment variable\n\nResources:\n
Also was tried set the
SkipMetadataApiCheck: false
didn’t help at all. Any suggestions will be appreciated
s

salmon-account-74572

07/10/2023, 10:27 PM
You should be able to declare an explicit AWS provider and specify configuration parameters, like AWS region. I had to do this a while back for some VPC peering, here’s the code I used:
Copy code
// Set up a provider for the destination region
		dstProvider, err := aws.NewProvider(ctx, "dstProvider", &aws.ProviderArgs{
			Region: pulumi.String(dstVpcRegion),
		})
Note that
dstVpcRegion
was a configuration parameter I pulled into the program using
config.Require
.
Then you specify that explicit provider for resources that need to be created in the other region.
s

salmon-hair-39994

07/10/2023, 10:28 PM
this is exactly what I did in my code
Copy code
provider, err := aws.NewProvider(ctx, "aws-provider-"+region, &aws.ProviderArgs{
		Region:               pulumi.String(region),
	})
s

salmon-account-74572

07/10/2023, 10:29 PM
And then you used
pulumi.Provider(provider))
when creating other resources?
s

salmon-hair-39994

07/10/2023, 10:29 PM
In my case I need to provision a resource in both us-east-2 and us-west-2, so I pass the region to the provider config above, but still get the error
s

salmon-account-74572

07/10/2023, 10:30 PM
Are your AWS credentials appropriately sourced/supplied?
s

salmon-hair-39994

07/10/2023, 10:30 PM
I append the provider config to the
pulumi.ResourceOption
Copy code
opts := make([]pulumi.ResourceOption, 0)

opts = append(opts, pulumi.Provider(provider))

	// Create ecr repo
	repo, err := ecr.NewRepository(ctx, serviceName, repoArgs, opts...)
	if err != nil {
		return nil, err
	}
In my case, we are using the pulumi k8s operator, which we have IAM role configured for the operator
It works perfect for single region until I add this multi-region support
s

salmon-account-74572

07/10/2023, 10:33 PM
Ah, you’re using the K8s Operator. That does change things a bit. Based on the error message above, it looks like there is an IAM error related to an inability to access the metadata service. That being said, I’m unclear why this would affect only multi-region setups.
s

salmon-hair-39994

07/10/2023, 10:34 PM
Thanks @salmon-account-74572 are you saying the issue might related to the IAM role that assigned to the k8s operator?
s

salmon-account-74572

07/10/2023, 10:36 PM
I believe so, yes. I have a hunch (but can’t confirm/verify yet) that it’s related to a recent change regarding instances defaulting to IMDSv2.
s

salmon-hair-39994

07/10/2023, 10:38 PM
not sure why we need this
GetMetadata, access disabled to EC2 IMDS
, in my case I’m not creating EC2 resource 🙂 i’m trying to create elastic container repo
b

billowy-army-68599

07/10/2023, 10:49 PM
How are you passing credentials to the operator?
s

salmon-hair-39994

07/10/2023, 10:50 PM
through IAM role @billowy-army-68599
b

billowy-army-68599

07/10/2023, 10:50 PM
With what mechanism? Node roles? IRSA?
s

salmon-hair-39994

07/10/2023, 10:52 PM
as k8s ENV to operator, we are using the
OPERATOR_ROLE_ARN
env to assign an AWS IAM role
b

billowy-army-68599

07/10/2023, 11:07 PM
Okay, but just setting that env var wont actually do the work to get a role pushed down. Are you using iam roles for service accounts or anything else?
That environment variable only tells the operator which role to try assume
s

salmon-hair-39994

07/10/2023, 11:12 PM
that’s true. basically we have script to create k8s crd stack, once the stack created it will be consume by pulumi k8s operator watch(), then start provision resource based on whatever we pass into the stack
the IAM role of k8s operator is mainly for provision actual AWS resources, don’t think that related to the error above, which is more related to the provider
s

salmon-account-74572

07/10/2023, 11:16 PM
Unless I’m mistaken, though, the operator needs to use the role to provision resources via the provider
s

salmon-hair-39994

07/10/2023, 11:19 PM
we use the default provider which we get when we don’t specify a custom provider
I’m just trying to follow this doc https://www.pulumi.com/blog/deploy-to-multiple-regions/ from pulumi
f

few-pillow-1133

07/18/2023, 1:39 AM
@salmon-hair-39994 did you manage to solve this...running into the same?
s

salmon-hair-39994

07/18/2023, 4:04 AM
looks like adding this
SkipMetadataApiCheck: pulumi.BoolPtr(false),
in my code did fix the issue