https://pulumi.com logo
#aws
Title
# aws
m

mysterious-raincoat-41852

01/11/2024, 8:59 PM
Hey folks! @brainy-flower-70624 is trying to run Pulumi from EC2 instance and seeing some issues. Probably some of you can help with setup! “I am trying to setup Pulumi in my environment and I am getting the error while creating s3 bucket [10:30 AM] it worked if i pass on my AWS access key and secret key but it is not working with the role which is attached to my EC2 even though it has necessary permission [10:30 AM] error getting S3 Bucket Object Lock configuration: AccessDenied: Access Denied”
g

gifted-gigabyte-53859

01/12/2024, 12:33 AM
Run the same S3 command on the instance manually with the aws cli and see if you get the same error
If the aws cli command works OK using the instance role, check that there's no leftover config anywhere around in config files, or the environment, that might be feeding outdated or incorrect credentials to Pulumi
b

brainy-flower-70624

01/12/2024, 5:54 AM
Hi @gifted-gigabyte-53859, I have tried to create S3 bucket using was cli and it worked fine with the same IAM Role access but I try to run Pulumi than it is not working and showing the mentioned error, it works if I use access key/secret key, also I checked there is no other config on my system
g

gifted-gigabyte-53859

01/12/2024, 8:53 AM
Please post your exact error message, and also your stack config file (redact any sensitive info) @brainy-flower-70624 is this the full error, or is there more?
Copy code
error getting S3 Bucket Object Lock configuration: AccessDenied: Access Denied
b

brainy-flower-70624

01/12/2024, 9:51 AM
$ cat Pulumi.yaml name: testprj runtime: yaml description: A minimal AWS Pulumi YAML program outputs: # Export the name of the bucket bucketName: ${my-bucket.id} resources: # Create an AWS resource (S3 Bucket) my-bucket: type: awss3Bucket $ $ cat Pulumi.dev.yaml encryptionsalt: v1zlMqOFfr+GA=v1b5YDqHAagdj6CyEOMe/rz/Fs4WbZrqi4I3vYI6/m/nkZlw== config: awsregion us-east-1 awsskipMetadataApiCheck "false" $ $ pulumi up Enter your passphrase to unlock config/secrets (set PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE to remember): Previewing update (dev): Type Name Plan pulumipulumiStack testprj-dev ~ └─ awss3Bucket my-bucket update Outputs: + bucketName: "my-bucket-fd8d47d" Resources: ~ 1 to update 1 unchanged Do you want to perform this update? yes Updating (dev): Type Name Status Info pulumipulumiStack testprj-dev failed 1 error ~ └─ awss3Bucket my-bucket updating failed 1 error Diagnostics: pulumipulumiStack (testprj-dev): error: update failed awss3Bucket (my-bucket): error: Resource provider reported that the resource did not exist while updating urnpulumidev:testprjawss3/bucket🪣:my-bucket. This is usually a result of the resource having been deleted outside of Pulumi, and can often be fixed by running
pulumi refresh
before updating. Resources: 1 unchanged Duration: 1s $
Attached all the details
g

gifted-gigabyte-53859

01/15/2024, 2:55 AM
@brainy-flower-70624 the error you're getting from pulumi indicates that the credentials are working, since it can read whether the bucket exists or not. The error is related to the bucket not existing, not related to lacking authorisation
Try
pulumi refresh
as suggested in the error message
Also check that the ec2 instance role assinged to your instance has permission to act in S3
b

brainy-flower-70624

01/22/2024, 2:34 PM
Can you also let us know how can we set the default action as yes when we perform pulumi up command
Can you also let us know how can we set the default action as yes when we perform pulumi up command
l

little-cartoon-10569

01/22/2024, 7:51 PM
You can use either
pulumi up --yes
(to preview then deploy, automatically) or
pulumi up --skip-preview
(which only deploys, and therefore doesn't need the interactive response at all).
g

gifted-gigabyte-53859

01/23/2024, 12:50 AM
@brainy-flower-70624 I have an alias in my shell.
-y
is yes.
--skip-preview
does what it says 😉
Copy code
% alias
grs='git reset --soft HEAD~1'
pdiff='pulumi preview --diff'
pref='pulumi refresh'
'pref!'='pulumi refresh -y --skip-preview'
pup='pulumi up'
'pup!'='pulumi up -y --skip-preview'
run-help=man
which-command=whence
l

little-cartoon-10569

01/23/2024, 1:07 AM
-y --skip-preview
is redundant.
--yes
or
-y
effectively answers yes to the post-preview question "Do you want to continue?". If you skip the preview, the question is never asked, so it doesn't need to be skipped.
g

gifted-gigabyte-53859

01/23/2024, 1:46 AM
You're right thanks for pointing that out.