astonishing-journalist-77684
12/01/2023, 9:14 PMpulumi-aws
driver we rely on. The symptoms match a number of open and closed issues on the repo, so I hope the question I have makes sense. When using SSO, pulumi preview
and pulumi up
both give the same error, consistently:
Error: failed to refresh cached credentials, the SSO session has expired or is invalid: open /Users/[redacted]/.aws/sso/cache/1f00d08c5e62b5eaa7523500a301bc70997c42d9.json: no such file or directory
It's always the same hash, even across days, and no matter how many times I've renewed my AWS credentials. What I have been able to dig up through investigation of the aws sdk and the pulumi-aws
repository is that at some point, pulumi had duplicated whatever hashing approach (sha-1?) that the aws sdk was performing at the time to generate new cache file names so that you could pull the latest cache file. Unfortunately, aws's approach has changed over time and now pulumi-aws
generates an erroneous hash which sends it looking for the same non-existent file.
The work-arounds I've found from other folks reporting this issue is to symlink the latest cache file to the file pulumi expects. This is irritating because I have to first run pulumi preview to get the error in order to know what hash it's trying to use for the file. I would like to add to my shell script that refreshes all my credentials each day that symlinks the hash pulumi expects to the latest cache file after I've refreshed the login. The catch is, I can't figure out where exactly you all are passing things in my environment into the hash function in order to determine that filename.
Can someone here help me determine the approach so we can get a work around? Thank you in advance for reading the long-winded explanation 😅billowy-army-68599
astonishing-journalist-77684
12/01/2023, 9:18 PMastonishing-journalist-77684
12/01/2023, 9:18 PMastonishing-journalist-77684
12/01/2023, 9:20 PMpulumi preview
and wait for it to dump the error out and parse that looking for the missing file name, I thought it would be easier if I just asked how that hash is generatedbillowy-army-68599
billowy-army-68599
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 9:21 PMastonishing-journalist-77684
12/01/2023, 9:21 PMastonishing-journalist-77684
12/01/2023, 9:22 PMbillowy-army-68599
it’s reading the cached credential file that aws stores after an sso loginif it’s doing this, again, the issue is related directly to the aws GO sdk. there’s nothing special in the provider that does this to my knowledge
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 9:26 PMbillowy-army-68599
astonishing-journalist-77684
12/01/2023, 9:28 PMastonishing-journalist-77684
12/01/2023, 9:28 PMbillowy-army-68599
pulumi login
or pulumi up
?astonishing-journalist-77684
12/01/2023, 9:29 PMastonishing-journalist-77684
12/01/2023, 9:29 PMastonishing-journalist-77684
12/01/2023, 9:29 PMastonishing-journalist-77684
12/01/2023, 9:30 PMbillowy-army-68599
sso_start_url
have a #
in it?astonishing-journalist-77684
12/01/2023, 9:31 PMbillowy-army-68599
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 9:31 PMbillowy-army-68599
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 9:35 PMbillowy-army-68599
sso_start_url = <https://lbrlabs.awsapps.com/start>
astonishing-journalist-77684
12/01/2023, 9:36 PM#
at the endbillowy-army-68599
astonishing-journalist-77684
12/01/2023, 9:37 PMMissing the following required SSO configuration values: sso_start_url, sso_region. To make sure this profile is properly configured to use SSO, please run: aws configure sso
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 9:38 PMbillowy-army-68599
.aws/config
file?astonishing-journalist-77684
12/01/2023, 9:41 PM[default]
region = [region]
output = json
[profile myprofile]
sso_session = myprofile
sso_account_id = [sso-account-id]
sso_role_name = [sso-role]
sso_region = [sso-region]
sso_start_url = [sso-start-url]
sso_registration_scopes = sso:account:access
region = [region]
output = json
[sso-session myprofile]
sso_start_url = [sso-start-url]
sso_region = [sso-region]
sso_registration_scopes = sso:account:access
billowy-army-68599
[sso-session personal]
sso_region = us-west-2
sso_start_url = <https://lbrlabs.awsapps.com/start>
[profile personal-development]
sso_session = personal
output = json
region = us-west-2
sso_account_id = <x>
sso_role_name = AWSAdministratorAccess
[profile personal-management]
sso_session = personal
output = json
region = us-west-2
sso_account_id = <x>
sso_role_name = AWSAdministratorAccess
I’d choose to use sso-session and configure it correctly, or use a legacy profile (where you copy the start url and region to every profile)astonishing-journalist-77684
12/01/2023, 9:48 PMastonishing-journalist-77684
12/01/2023, 10:02 PM[sso-session dev]
sso_region = [sso-region]
sso_start_url = [sso-start-url]
[profile profile-name]
sso_session = dev
output = json
region = [profile-region]
sso_account_id = [sso-account-id]
sso_role_name = [sso-role-name]
the aws sso login works now, but, I get a different error from pulumi:
aws:kms:Key (cluster-key):
error: unable to validate AWS credentials.
Details: loading configuration: profile "[profile-name]" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
Make sure you have:
• Set your AWS region, e.g. `pulumi config set aws:region us-west-2`
• Configured your AWS credentials as per <https://pulumi.io/install/aws.html>
You can also set these via cli using `aws configure`.
pulumi:pulumi:Stack ([stack-name]):
error: Error: invocation of aws:index/getPartition:getPartition returned an error: unable to validate AWS credentials - see <https://pulumi.io/install/aws.html> for details on configuration
at Object.callback (/Users/alex/git/rownd/infrastructure/node_modules/@pulumi/runtime/invoke.ts:159:33)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client.ts:338:26)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
at /Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
at processTicksAndRejections (node:internal/process/task_queues:77:11)
error: Error: invocation of aws:index/getRegion:getRegion returned an error: unable to validate AWS credentials - see <https://pulumi.io/install/aws.html> for details on configuration
at Object.callback (/Users/alex/git/rownd/infrastructure/node_modules/@pulumi/runtime/invoke.ts:159:33)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client.ts:338:26)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
at /Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
at processTicksAndRejections (node:internal/process/task_queues:77:11)
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 10:02 PMastonishing-journalist-77684
12/01/2023, 10:03 PMbillowy-army-68599
pulumi about
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 10:04 PMDependencies:
NAME VERSION
@pulumi/aws-native 0.40.2
@pulumi/kubernetes 3.22.1
@pulumi/pulumi 3.46.1
@pulumi/cloudflare 4.12.1
@pulumi/eks 0.42.7
@pulumi/gitlab 4.9.0
@types/node 14.18.33
simple-git 2.48.0
@aws-cdk/aws-ec2 1.180.0
@pulumi/aws 5.21.0
@pulumi/awsx 0.40.1
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 10:08 PMastonishing-journalist-77684
12/01/2023, 10:09 PMbillowy-army-68599
[profile myprofile]
sso_session = myprofile # here
sso_account_id = [sso-account-id]
sso_role_name = [sso-role]
sso_region = [sso-region]
sso_start_url = [sso-start-url]
sso_registration_scopes = sso:account:access
region = [region]
output = json
astonishing-journalist-77684
12/01/2023, 10:09 PMbillowy-army-68599
npm install @pulumi/aws --update
The long and short of all this really is that there are bugs in sso-session and sso profile management and it’s finicky. as i mentioned before, this is the main upstream issue: https://github.com/aws/aws-sdk-go-v2/issues/2241astonishing-journalist-77684
12/01/2023, 10:16 PMastonishing-journalist-77684
12/01/2023, 10:16 PMDiagnostics:
pulumi:pulumi:Stack (infra-dev-us-east-2):
error: Error: invocation of aws:index/getPartition:getPartition returned an error: unable to validate AWS credentials - see <https://pulumi.io/install/aws.html> for details on configuration
at Object.callback (/Users/alex/git/rownd/infrastructure/node_modules/@pulumi/runtime/invoke.ts:159:33)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client.ts:338:26)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
at /Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
at processTicksAndRejections (node:internal/process/task_queues:77:11)
error: Error: invocation of aws:index/getRegion:getRegion returned an error: unable to validate AWS credentials - see <https://pulumi.io/install/aws.html> for details on configuration
at Object.callback (/Users/alex/git/rownd/infrastructure/node_modules/@pulumi/runtime/invoke.ts:159:33)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client.ts:338:26)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
at Object.onReceiveStatus (/Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
at /Users/alex/git/rownd/infrastructure/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
at processTicksAndRejections (node:internal/process/task_queues:77:11)
aws:iam:Role (dev-us-east-2-eksRole-role):
error: unable to validate AWS credentials - see <https://pulumi.io/install/aws.html> for details on configuration
billowy-army-68599
pulumi up
after running npm install --update
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 10:17 PMbillowy-army-68599
[default]
region = [region]
output = json
[profile myprofile]
sso_account_id = [sso-account-id]
sso_role_name = [sso-role]
sso_region = [sso-region]
sso_start_url = [sso-start-url]
sso_registration_scopes = sso:account:access
region = [region]
output = json
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 10:28 PMastonishing-journalist-77684
12/01/2023, 10:31 PMbillowy-army-68599
aws sts get-caller-identity
work?astonishing-journalist-77684
12/01/2023, 10:34 PMbillowy-army-68599
sso_registration_scopes
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 10:34 PMbillowy-army-68599
astonishing-journalist-77684
12/01/2023, 10:35 PMastonishing-journalist-77684
12/01/2023, 10:38 PM[default]
region = [region]
output = json
[profile profile-name]
sso_account_id = [sso-acount-number]
sso_role_name = [sso-role-name]]
sso_region = [sso-region]
sso_start_url = [sso-start-url]
sso_registration_scopes = [sso-scope]
region = [region]
output = json
billowy-army-68599
sso_registration_scopes = [sso-scope]
you still have this property in there. Remove it, and reauthastonishing-journalist-77684
12/01/2023, 10:38 PMbillowy-army-68599
astonishing-journalist-77684
12/01/2023, 10:40 PMastonishing-journalist-77684
12/01/2023, 10:41 PMastonishing-journalist-77684
12/01/2023, 10:42 PM--profile
on the sts call, my mistakeastonishing-journalist-77684
12/01/2023, 10:42 PMbillowy-army-68599
billowy-army-68599
billowy-army-68599
astonishing-journalist-77684
12/01/2023, 10:42 PMbillowy-army-68599
astonishing-journalist-77684
12/01/2023, 10:55 PM