I m a bit confused From the docs it sounds like if you expor Pulumi Community #aws

I'm a bit confused. From the docs it sounds like i...

bored-winter-60087

06/28/2024, 5:31 AM

I'm a bit confused. From the docs it sounds like if you export

AWS_ACCESS_KEY_ID

AWS_SECRET_ACCESS_KEY

, and

AWS_REGION

pulumi

should use those credentials over anything in

~/.aws/credentials

. I'm using

aws-vault

, e.g.

aws-vault exec <profile> pulumi up

, and I've checked with

aws-vault exec <profile> aws sts get-caller-identity

that both accounts are accessible as expected, but

pulumi

is using the credentials from the default profile in

~/.aws/credentials

and

~/.aws/config

. Setting

AWS_PROFILE=<profile> pulumi up

works as expected, but I'd much rather use

aws-vault

or similar tooling.

little-cartoon-10569

06/30/2024, 8:35 PM

Are you using the default Pulumi AWS provider? If you are, are you settings any provider configuration in your Pulumi.stack.yaml file? The YAML file beats env vars, so if you are (for example) setting the AWS provider's profile to be $AWS_PROFILE, then AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY won't get used, because you're telling Pulumi to use the profile. Even if it's empty.

bored-winter-60087

06/30/2024, 9:45 PM

I think the only thing we set is the AWS region

little-cartoon-10569

06/30/2024, 9:54 PM

Not sure then. Given "or similar tooling", you could try Pulumi ESC. However, what you're doing should work; I can't see why not. Try it without any

aws:

in your stack config?

bored-winter-60087

06/30/2024, 9:55 PM

I'll give that a shot in a bit, thanks :)

bored-winter-60087

07/01/2024, 5:35 PM

Dropping the

aws:region

field in the stack config didn't do anything

little-cartoon-10569

07/01/2024, 8:09 PM

Are you using the default provider, or creating an instance of it? If you're creating your own instance, can you post the code?

bored-winter-60087

07/01/2024, 8:23 PM

It's the default provider

little-cartoon-10569

07/01/2024, 8:35 PM

Last thing I can think of: is

aws-vault

setting

AWS_ACCESS_KEY_ID

and

AWS_PROFILE

? Can you run

aws-vault exec env | grep AWS

bored-winter-60087

07/01/2024, 8:37 PM

aws-vault exec testing -- env | grep AWS | cut -f 1 -d '=' | xclip

Copy code

AWS_VAULT_BACKEND
AWS_VAULT
AWS_REGION
AWS_DEFAULT_REGION
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
AWS_CREDENTIAL_EXPIRATION

bored-winter-60087

07/01/2024, 8:37 PM

Looks like it isn't

little-cartoon-10569

07/01/2024, 8:44 PM

I'm looking for the code that builds the default provider, but I'm having no luck. There is a certain magic in the codebase....

bored-winter-60087

07/01/2024, 8:46 PM

I was looking for that eariler, searching for

AWS_SECRET_ACCESS_KEY

and couldn't figure it out

little-cartoon-10569

07/01/2024, 8:54 PM

I don't know then. For debugging purposes, you could update index.ts to console.log all the relevant env vars; maybe there's something odd in your imports, and something is setting AWS_PROFILE=default in your program...?

little-cartoon-10569

07/01/2024, 8:54 PM

And for that matter, you could rename your default profile, so that you have no default profile. See if that produces different results that may help you track the problem down.

Open in Slack

Previous Next