breezy-butcher-78604
02/20/2024, 7:17 AMconfig:
aws:region: eu-west-1
aws:profile: pulumi
my AWS CLI config:
[sso-session sso]
sso_start_url = https://<REDACTED>.<http://awsapps.com/start#|awsapps.com/start#>
sso_region = us-east-1
sso_registration_scopes = sso:account:access
[profile pulumi]
sso_session = sso
sso_account_id = <REDACTED>
sso_role_name = <REDACTED>
region = eu-west-1
output = json
i can use the AWS CLI just fine:
aws sts get-caller-identity --profile pulumi
{
"UserId": "<REDACTED>",
"Account": "<REDACTED>",
"Arn": "arn:aws:sts::<REDACTED>:assumed-role/AWSReservedSSO_<REDACTED>"
}
but when running pulumi up
or anything that needs to talk to the cloud provider i get the following error message:
error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration
i've also tried running AWS_PROFILE=pulumi pulumi up
with the same result. any ideas?breezy-butcher-78604
02/20/2024, 7:22 AM"@pulumi/aws": "^6.22.0",
"@pulumi/pulumi": "^3.105.0",
steep-sunset-89396
02/20/2024, 10:13 AMdefault
profile? Here is my ~/.aws/config
which us slightly different than yours...steep-sunset-89396
02/20/2024, 10:15 AM[default]
sso_region = us-west-2
sso_start_url = <https://d>-<REDACTED>.<http://awsapps.com/start|awsapps.com/start>
sso_account_id = 123412341234
sso_role_name = AdministratorAccess
region = ap-southeast-2
output = json
And then I login using this command aws sso login --no-browser
.little-cartoon-10569
02/20/2024, 7:43 PMbreezy-butcher-78604
02/21/2024, 2:04 AMbreezy-butcher-78604
02/21/2024, 2:05 AMYou shouldn't use any profile when creating an aws.Provider with the intention of using the SSO details. Just let Pulumi figure it out.i have a bunch of different profiles set up so I imagine i'd need to provide some kind of hint on which one to use right?
steep-sunset-89396
02/21/2024, 2:20 AMbreezy-butcher-78604
02/21/2024, 2:21 AMsteep-sunset-89396
02/21/2024, 2:22 AMbreezy-butcher-78604
02/21/2024, 2:26 AMsteep-sunset-89396
02/21/2024, 2:28 AM--verbose=11 --logtostderr
is the combo to use first.little-cartoon-10569
02/21/2024, 2:32 AMlittle-cartoon-10569
02/21/2024, 2:32 AMlittle-cartoon-10569
02/21/2024, 2:33 AMlittle-cartoon-10569
02/21/2024, 2:37 AMlittle-cartoon-10569
02/21/2024, 2:39 AMAWS_PROFILE=pulumi pulumi up
and you have AWS_ACCESS_KEY_ID set, then AWS_ACCESS_KEY_ID will take precendence. If you don't have AWS_SECRET_ACCESS_KEY set, then you'll see that error message (I think).breezy-butcher-78604
02/21/2024, 2:40 AMAWS_*
variables setbreezy-butcher-78604
02/21/2024, 2:40 AMAWS_PROFILE
little-cartoon-10569
02/21/2024, 2:42 AMbreezy-butcher-78604
02/21/2024, 2:47 AMlittle-cartoon-10569
02/21/2024, 2:50 AMbreezy-butcher-78604
02/21/2024, 2:51 AMlittle-cartoon-10569
02/21/2024, 2:52 AMlittle-cartoon-10569
02/21/2024, 2:53 AMpulumi
to something that sets some env vars.breezy-butcher-78604
02/21/2024, 2:53 AMsteep-sunset-89396
02/21/2024, 2:58 AMdefault
fails on p up
because it's not auth'ed and adding a aws:profile: pulumi
works fine. No need to create any extra provider either.breezy-butcher-78604
02/21/2024, 2:58 AMbreezy-butcher-78604
02/21/2024, 2:59 AMbreezy-butcher-78604
02/21/2024, 3:19 AMsteep-sunset-89396
02/21/2024, 3:20 AMpulumi up --target 'provider url'
and setting the desired aws:profile: profileName
beforehand should solve the situation. This was visible when exporting the stack state via pulumi stack export
. Thanks to @breezy-butcher-78604 for his tests as well.little-cartoon-10569
02/21/2024, 3:20 AMbreezy-butcher-78604
02/21/2024, 3:21 AMpulumi up
on the provider (after updating provider versions locally) fixed the issuebreezy-butcher-78604
02/21/2024, 3:21 AMbreezy-butcher-78604
02/21/2024, 3:22 AMpulumi up
on the provider only fixed everything. thanks for the help