https://pulumi.com logo
#general
Title
# general
c

crooked-lizard-5175

07/27/2023, 9:28 PM
Is there a trick to getting pulumi to respect the aws configuration in the Pulumi.<stack>.yaml file? I have
aws:profile: <profile>
and
aws:region: <region>
under the
config
key, but pulumi is defaulting back to my
default
aws profile and a different region.
f

fresh-scientist-56300

07/27/2023, 9:39 PM
I swear I came across this one, but I can't find my notes and I have a call about to start. At the minimum, you should be able to run something like:
AWS_PROFILE="" AWS_REGION="" pulumi preview
or
AWS_PROFILE= AWS_REGION= pulumi preview
s

salmon-account-74572

07/27/2023, 9:40 PM
I’m making some inquiries internally, but as a temporary workaround you can use a tool like
direnv
to set
AWS_PROFILE
to whatever value you want when you enter the directory where the Pulumi project is stored. It’s not ideal, but it’ll get you up and running.
c

crooked-lizard-5175

07/27/2023, 10:10 PM
Unfortunately setting the AWS_PROFILE and AWS_REGION env vars won't work because I'm using the AWS KMS secret provider, which is regional. I need pulumi to look in region A for the KMS key to unlock the secrets, and then region B for doing all of the resource management.
s

salmon-account-74572

07/27/2023, 10:40 PM
I see. Well, you’re going to need at least one explicit provider. You’ll either need to use an explicit provider for region A to look up the KMS key to unlock the secrets, or you’ll need an explicit provider for region B to do the resource management.
c

crooked-lizard-5175

07/27/2023, 10:48 PM
Yes. The KMS secret provider isn't always in the region that my resources are in. FWIW, I am running an
pulumi import
to import a resource in region A, but my KMS key is in region B. So i say AWS_REGION=B, pulumi can't find the resource I am trying to import (because it's looking in the wrong region). But if I say AWS_REGION=A, pulumi can't find the KMS key to initialize the secrets.
Maybe I am using pulumi in a nonstandard way (I am new) 🙂
The expected behavior I was hoping for was that pulumi would use the
aws:profile
value for finding the region for the KMS key, and the
aws:region
value for doing the actual resource management.
s

salmon-account-74572

07/27/2023, 10:55 PM
No, it won’t behave that way. I would define an explicit provider for region B for getting the KMS key, and use the default provider to import resources from region A. You could swap, but either way you need at least one explicit provider (and then you need to specify that provider in the resource options in your code for that particular resource). Pulumi just isn’t going to use
aws:profile
and
aws:region
the way you’re describing.
BTW, if you want and are able to share your code, that might make it easier for others to help get you to a working solution.
c

crooked-lizard-5175

07/27/2023, 11:15 PM
Ok I think I understand. So for the
pulumi import
command, I did see a
--provider
option, but I was struggling to figure out how to specify an AWS provider urn that points to a different region. This is what I should dig into though?
Oh lord, I just realized KMS keys can be replicated to different AWS regions 🤦‍♂️ that solves my issue.
f

fierce-ability-58936

07/28/2023, 1:19 AM
You can also set the region and profile in the KMS key URL https://www.pulumi.com/docs/concepts/secrets/#available-encryption-providers