This message was deleted.
# general
s
This message was deleted.
s
You should be able to declare an explicit AWS provider and specify configuration parameters, like AWS region. I had to do this a while back for some VPC peering, here’s the code I used:
Copy code
// Set up a provider for the destination region
		dstProvider, err := aws.NewProvider(ctx, "dstProvider", &aws.ProviderArgs{
			Region: pulumi.String(dstVpcRegion),
		})
Note that
dstVpcRegion
was a configuration parameter I pulled into the program using
config.Require
.
Then you specify that explicit provider for resources that need to be created in the other region.
s
this is exactly what I did in my code
Copy code
provider, err := aws.NewProvider(ctx, "aws-provider-"+region, &aws.ProviderArgs{
		Region:               pulumi.String(region),
	})
s
And then you used
pulumi.Provider(provider))
when creating other resources?
s
In my case I need to provision a resource in both us-east-2 and us-west-2, so I pass the region to the provider config above, but still get the error
s
Are your AWS credentials appropriately sourced/supplied?
s
I append the provider config to the
pulumi.ResourceOption
Copy code
opts := make([]pulumi.ResourceOption, 0)

opts = append(opts, pulumi.Provider(provider))

	// Create ecr repo
	repo, err := ecr.NewRepository(ctx, serviceName, repoArgs, opts...)
	if err != nil {
		return nil, err
	}
In my case, we are using the pulumi k8s operator, which we have IAM role configured for the operator
It works perfect for single region until I add this multi-region support
s
Ah, you’re using the K8s Operator. That does change things a bit. Based on the error message above, it looks like there is an IAM error related to an inability to access the metadata service. That being said, I’m unclear why this would affect only multi-region setups.
s
Thanks @salmon-account-74572 are you saying the issue might related to the IAM role that assigned to the k8s operator?
s
I believe so, yes. I have a hunch (but can’t confirm/verify yet) that it’s related to a recent change regarding instances defaulting to IMDSv2.
s
not sure why we need this
GetMetadata, access disabled to EC2 IMDS
, in my case I’m not creating EC2 resource 🙂 i’m trying to create elastic container repo
b
How are you passing credentials to the operator?
s
through IAM role @billowy-army-68599
b
With what mechanism? Node roles? IRSA?
s
as k8s ENV to operator, we are using the
OPERATOR_ROLE_ARN
env to assign an AWS IAM role
b
Okay, but just setting that env var wont actually do the work to get a role pushed down. Are you using iam roles for service accounts or anything else?
That environment variable only tells the operator which role to try assume
s
that’s true. basically we have script to create k8s crd stack, once the stack created it will be consume by pulumi k8s operator watch(), then start provision resource based on whatever we pass into the stack
the IAM role of k8s operator is mainly for provision actual AWS resources, don’t think that related to the error above, which is more related to the provider
s
Unless I’m mistaken, though, the operator needs to use the role to provision resources via the provider
s
we use the default provider which we get when we don’t specify a custom provider
I’m just trying to follow this doc https://www.pulumi.com/blog/deploy-to-multiple-regions/ from pulumi
f
@salmon-hair-39994 did you manage to solve this...running into the same?
s
looks like adding this
SkipMetadataApiCheck: pulumi.BoolPtr(false),
in my code did fix the issue