Is there a trick to getting pulumi to respect the aws config

Question

Is there a trick to getting pulumi to respect the aws configuration in the Pulumi lt stack gt yaml file I have `aws profile lt profile gt ` and `aws region lt region gt ` under the `config` key but pulumi is defaulting back to my `default` aws profile and a different region

fresh-scientist-56300 · Answer

I swear I came across this one but I can t find my notes and I have a call about to start At the minimum you should be able to run something like `AWS PROFILE= AWS REGION= pulumi preview` or `AWS PROFILE= AWS REGION= pulumi preview`

salmon-account-74572 · Answer

I m making some inquiries internally but as a temporary workaround you can use a tool like `direnv` to set `AWS PROFILE` to whatever value you want when you enter the directory where the Pulumi project is stored It s not ideal but it ll get you up and running

crooked-lizard-5175 · Answer

Unfortunately setting the AWS PROFILE and AWS REGION env vars won t work because I m using the AWS KMS secret provider which is regional I need pulumi to look in region A for the KMS key to unlock the secrets and then region B for doing all of the resource management

salmon-account-74572 · Answer

I see Well you re going to need at least one explicit provider You ll either need to use an explicit provider for region A to look up the KMS key to unlock the secrets or you ll need an explicit provider for region B to do the resource management

crooked-lizard-5175 · Answer

Yes The KMS secret provider isn t always in the region that my resources are in FWIW I am running an `pulumi import` to import a resource in region A but my KMS key is in region B So i say AWS REGION=B pulumi can t find the resource I am trying to import because it s looking in the wrong region But if I say AWS REGION=A pulumi can t find the KMS key to initialize the secrets

crooked-lizard-5175 · Answer

Maybe I am using pulumi in a nonstandard way I am new slightly smiling face

crooked-lizard-5175 · Answer

The expected behavior I was hoping for was that pulumi would use the `aws profile` value for finding the region for the KMS key and the `aws region` value for doing the actual resource management

salmon-account-74572 · Answer

No it won t behave that way I would define an explicit provider for region B for getting the KMS key and use the default provider to import resources from region A You could swap but either way you need at least one explicit provider and then you need to specify that provider in the resource options in your code for that particular resource Pulumi just isn t going to use `aws profile` and `aws region` the way you re describing

salmon-account-74572 · Answer

BTW if you want and are able to share your code that might make it easier for others to help get you to a working solution

crooked-lizard-5175 · Answer

Ok I think I understand So for the `pulumi import` command I did see a ` provider` option but I was struggling to figure out how to specify an AWS provider urn that points to a different region This is what I should dig into though

crooked-lizard-5175 · Answer

Oh lord I just realized KMS keys can be replicated to different AWS regions man facepalming that solves my issue

fierce-ability-58936 · Answer

You can also set the region and profile in the KMS key URL <https www pulumi com docs concepts secrets available encryption providers>