hey friends, i'm having trouble getting Pulumi to pick up and use my AWS credentials that were generated from AWS SSO my stack config

config:
  aws:region: eu-west-1
  aws:profile: pulumi

my AWS CLI config:

[sso-session sso]
sso_start_url = https://<REDACTED>.<http://awsapps.com/start#|awsapps.com/start#>
sso_region = us-east-1
sso_registration_scopes = sso:account:access

[profile pulumi]
sso_session = sso
sso_account_id = <REDACTED>
sso_role_name = <REDACTED>
region = eu-west-1
output = json

i can use the AWS CLI just fine:

aws sts get-caller-identity --profile pulumi
{
    "UserId": "<REDACTED>",
    "Account": "<REDACTED>",
    "Arn": "arn:aws:sts::<REDACTED>:assumed-role/AWSReservedSSO_<REDACTED>"
}

but when running

pulumi up

or anything that needs to talk to the cloud provider i get the following error message:

error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration

i've also tried running

AWS_PROFILE=pulumi pulumi up

with the same result. any ideas?

I'm curious @breezy-butcher-78604 what happens if you use the

default

profile? Here is my

~/.aws/config

which us slightly different than yours...

You shouldn't use any profile when creating an aws.Provider with the intention of using the SSO details. Just let Pulumi figure it out.

same error even when configuring the default profile as you have @steep-sunset-89396

I'm assuming you opened the SSO sessions, right? (I made that mistake once🤦‍♂️ and I was loosing my marbles)

yeah theres definitely valid creds/session since I can use the aws CLI without issue

Let me break my env and get back to you.

are there any debug switches/config i can add to get some more information on how the provider is trying to find creds?

--verbose=11 --logtostderr

is the combo to use first.

When you're creating the provider, pass no parameters (other than region). If you're using the default provider (which I recommend you don't do), then ensure that AWS_PROFILE, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are all unset.

yeah definitely confirmed there's no other

AWS_*

variables set

Then it should work. Anything else I come up with here will be pure guesswork 🙂 The region you use in your sso-session block should be the region that your IAM Identity Centre created the SSO IdP or external IdP connection in. Not the region that your profile uses.

yep, makes sense, have confirmed that also

Are you creating an aws.Provider instance? Or maybe more than one? Or are you using only the default aws.Provider?

just the default. its a very simple project with a few resources in it.

Try manually creating an aws.Provider with just the region and profile parameters set, and pass that to all the resoruces.

i'll give it a go

@breezy-butcher-78604 ok, so your setup seems to be working for me. The

default

fails on

p up

because it's not auth'ed and adding a

aws:profile: pulumi

works fine. No need to create any extra provider either.

using a non-default provider is causing the same error for me

For those in that situation... It's because the stack state holds an existing provider which contains the aws profile. running

pulumi up --target 'provider url'

and setting the desired

aws:profile: profileName

beforehand should solve the situation. This was visible when exporting the stack state via

pulumi stack export

. Thanks to @breezy-butcher-78604 for his tests as well.

Ah, the old provider-in-the-state trick.

i didn't have to add a profile to state or anything, in my case just doing a targeted

pulumi up

on the provider (after updating provider versions locally) fixed the issue