https://pulumi.com logo
#pulumi-deployments
Title
# pulumi-deployments
a

ambitious-air-92938

10/31/2023, 2:20 PM
Hey folks, I'm having some issues trying to set up Deployments with AWS OIDC. I've verified that the OIDC IdP and Audience is set correctly, and the OIDC flow does indeed return both keys and session token (I've `echo`ed out all three as part of a preview deployment run), but when it comes to the preview it fails with the following:
Copy code
Error: Preview failed: error: getting stack configuration: get stack secrets manager: operation error KMS: Decrypt, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded
The IAM Role associated with the OIDC config and audience has admin privs across the whole AWS account. Our stack config uses KMS as a secrets provider. The stack config is configured to use an AWS profile thus:
awskms://alias/pulumi?region=eu-west-1&profile=<profile>&awssdk=v2
but I'm overriding that in the Deployment config with the mapping
secretsprovider: <awskms://alias/pulumi?region=eu-west-1>
(at least I'm assuming that's overriding it). I've also verified that the KMS key has a policy attached to it that allows access from the whole AWS account. Anyone have any ideas what I'm doing wrong?
r

red-match-15116

11/01/2023, 1:49 AM
but I'm overriding that in the Deployment config with the mapping
what's the command you're using to do this? and does the config you expect show up in the stack update?
a

ambitious-air-92938

11/01/2023, 10:28 AM
Thanks for the reply Komal. I've managed to get around this by writing out the returned creds from the OIDC flow to a local AWS config file under a profile name.
66 Views