hello, any ideas how to pass two different provider config for different region in pulumi go project? was tried the

aws.ProviderArgs

, but keep getting the error like below

error: 1 error occurred:\n    \t* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.\n    \n    Please see <https://registry.terraform.io/providers/hashicorp/aws>\n    for more information about providing credentials.\n    \n    Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via client option, or \"AWS_EC2_METADATA_DISABLED\" environment variable\n\nResources:\n

Also was tried set the

SkipMetadataApiCheck: false

didn’t help at all. Any suggestions will be appreciated

You should be able to declare an explicit AWS provider and specify configuration parameters, like AWS region. I had to do this a while back for some VPC peering, here’s the code I used:

// Set up a provider for the destination region
		dstProvider, err := aws.NewProvider(ctx, "dstProvider", &aws.ProviderArgs{
			Region: pulumi.String(dstVpcRegion),
		})

Note that

dstVpcRegion

was a configuration parameter I pulled into the program using

config.Require

.

this is exactly what I did in my code

provider, err := aws.NewProvider(ctx, "aws-provider-"+region, &aws.ProviderArgs{
		Region:               pulumi.String(region),
	})

And then you used

pulumi.Provider(provider))

when creating other resources?

In my case I need to provision a resource in both us-east-2 and us-west-2, so I pass the region to the provider config above, but still get the error

Are your AWS credentials appropriately sourced/supplied?

I append the provider config to the

pulumi.ResourceOption

opts := make([]pulumi.ResourceOption, 0)

opts = append(opts, pulumi.Provider(provider))

	// Create ecr repo
	repo, err := ecr.NewRepository(ctx, serviceName, repoArgs, opts...)
	if err != nil {
		return nil, err
	}

Ah, you’re using the K8s Operator. That does change things a bit. Based on the error message above, it looks like there is an IAM error related to an inability to access the metadata service. That being said, I’m unclear why this would affect only multi-region setups.

Thanks @salmon-account-74572 are you saying the issue might related to the IAM role that assigned to the k8s operator?

I believe so, yes. I have a hunch (but can’t confirm/verify yet) that it’s related to a recent change regarding instances defaulting to IMDSv2.

not sure why we need this

GetMetadata, access disabled to EC2 IMDS

, in my case I’m not creating EC2 resource 🙂 i’m trying to create elastic container repo

How are you passing credentials to the operator?

through IAM role @billowy-army-68599

With what mechanism? Node roles? IRSA?

as k8s ENV to operator, we are using the

OPERATOR_ROLE_ARN

env to assign an AWS IAM role

Okay, but just setting that env var wont actually do the work to get a role pushed down. Are you using iam roles for service accounts or anything else?

that’s true. basically we have script to create k8s crd stack, once the stack created it will be consume by pulumi k8s operator watch(), then start provision resource based on whatever we pass into the stack

Unless I’m mistaken, though, the operator needs to use the role to provision resources via the provider

we use the default provider which we get when we don’t specify a custom provider

@salmon-hair-39994 did you manage to solve this...running into the same?

looks like adding this

SkipMetadataApiCheck: pulumi.BoolPtr(false),

in my code did fix the issue