Hi All, I'm not sure if it is a bug or expected behaviour. Context: there is a CI job as github action where command

pulumi preview -s dev

is invoked.

Pulumi.dev.yaml

has variable

aws-native:profile

which is set to profile name that is used by developers. In order for CI job to work this variable is remove before running preview command. Issue: If preview command is executed with

refresh: always

provider is looking for aws profile that is used for local operation and fails - CI job uses different one. Output looks like this:

Previewing update (dev):
[resource plugin awsx-2.11.0] installing
[resource plugin docker-4.5.4] installing
[resource plugin aws-native-0.108.1] installing
[resource plugin aws-6.37.1] installing
[resource plugin aws-6.38.1] installing
@ previewing update.................
@ previewing update....
 ~  pulumi:pulumi:Stack <name hidden>-dev refreshing 
 ~  pulumi:pulumi:Stack <name hidden>-dev refreshing 
 ~  aws:ec2:Vpc default refreshing 
 ~  aws-native:iam:Role github_ci_readonly refreshing 
 ~  aws-native:iam:Role github_ci_readonly refreshing error: Preview failed: could not load AWS config: failed to get shared config profile, <profile name>

Question 1: Why profile is stored in pulumi state? Question 2: How to make pulumi to ignore stored in state profile name?

Not an exact answer to your question, but it looks you’re at the point where you should consider creating your own providers. When you create the provider yourself, you have control over profile name etc. We also have times where we need to set different profile names depending on the context of where the code is run, and custom providers fixed that and gave us some additional benefits (eg. not accidentally running in wrong AWS account) Here is a simplified version of what we use to lazily create our provider (this is in a shared library)

let provider: awsNative.Provider;

const DEFAULT_REGION: awsNative.Region = "us-east-2";

export function getAwsRegion(): awsNative.Region {
  return new pulumi.Config().get("aws-region") || DEFAULT_REGION;
}

export function getAwsNativeProvider(): awsNative.Provider {
  if (!provider) {
    const accountName: string = new pulumi.Config().require("aws-account-name");
    provider = new awsNative.Provider("aws-native", {
      region: getAwsRegion(),
      allowedAccountIds: [getAwsAccountId(accountName)],
    });
  }
  return provider;
}

And our

Pulumi.$STACK.yaml

ends up looking like this

config:
  example:aws-account-name: dev
  example:aws-region: us-east-2
  pulumi:disable-default-providers:
    - aws

@limited-window-74907 Thanks for the tip. I implemented it but it is still failing since state file captures input for provider resource and use values when refresh operation is invoked (at least I understand it this way).

{
                    "urn": "urn:pulumi:dev::ops-base::pulumi:providers:aws-native::default-aws-native-provider",
                    "custom": true,
                    "id": "06359dcb-...-00ccab670da1",
                    "type": "pulumi:providers:aws-native",
                    "inputs": {
                        "profile": "<profile name>",
                        "region": "<region value>",
                        "skipCredentialsValidation": "true",
                        "skipGetEc2Platforms": "true",
                        "skipMetadataApiCheck": "true",
                        "skipRegionValidation": "true",
                        "version": "0.108.3"
                    },

I have last idea - to remove values from state file and add them to

ignore_changes

at

ResourceOptions

which is passed to provider constructor.