Does anybody know how to stop Pulumi using system ~ aws cred Pulumi Community #getting-started

Does anybody know how to stop Pulumi using system ...

late-australia-13136

10/02/2024, 10:05 PM

Does anybody know how to stop Pulumi using system ~/.aws/credentials? I have this defined in my Pulumi.yaml but it doesn’t seem to make any difference?

Copy code

runtime: go

config:
    pulumi:disable-default-providers: ["*"]

    pulumi:tags:
        value:
            pulumi:template: aws-go

I’m also explicitly creating the provider and using credentials from environment variables, if I run

pulumi up

without providing these environment variables pulumi uses system credentials even though default providers should be disabled?

Copy code

package internal

import (
	"os"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

const (
	PROVIDER_NAME = "custom-aws-provider"
)

func InitAwsProvider(ctx *pulumi.Context) error {
	provider, err := aws.NewProvider(ctx, PROVIDER_NAME, NewAwsProviderArgs(), nil)

	if err != nil {
		return err
	}

	ctx.RegisterStackTransformation(
		func(args *pulumi.ResourceTransformationArgs) *pulumi.ResourceTransformationResult {
			return &pulumi.ResourceTransformationResult{
				Props: args.Props,
				Opts:  append(args.Opts, pulumi.Provider(provider)),
			}
		},
	)

	return nil
}

func NewAwsProviderArgs() *aws.ProviderArgs {
	return &aws.ProviderArgs{
		AccessKey: pulumi.String(os.Getenv("AWS_ACCESS_KEY_ID")),
		SecretKey: pulumi.String(os.Getenv("AWS_SECRET_ACCESS_KEY")),
		Region:    pulumi.String(os.Getenv("AWS_REGION")),
	}
}

little-cartoon-10569

10/02/2024, 10:09 PM

That's expected behaviour. If you want it to use only the env vars and the env vars aren't set, then you'll need to throw an exception at that time.

little-cartoon-10569

10/02/2024, 10:10 PM

BTW, you are using permanent credentials. Can I recommend short-lived credentials? You need a session token.

late-australia-13136

10/02/2024, 10:14 PM

Is there no way I can disable use of local credentials entirely?

late-australia-13136

10/02/2024, 10:14 PM

Yeah! I was trying to work out how to add short lived credentials, can you link me to the documentation for AWS? I only found seemingly outdated documentation?

little-cartoon-10569

10/02/2024, 10:15 PM

The loading of local credentials is part of AWS' SDK, so no, you can't do it "inside" the Provider. You can do it in your

NewAwsProviderArgs

function easily.

late-australia-13136

10/02/2024, 10:16 PM

Okay, no problem. I’ll verify the existence of the environment variables in that function. What is the purpose of

pulumi:disable-default-providers: ["*"]

in such a case?

little-cartoon-10569

10/02/2024, 10:17 PM

I recommend this starting point for the credentials question.: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way

late-australia-13136

10/02/2024, 10:17 PM

Perfect, I’ll take a look. I appreciate the help 👍

little-cartoon-10569

10/02/2024, 10:17 PM

pulumi:disable-default-providers: ["*"]

will cause Pulumi to throw an exception any time a resource is constructed without an explicit provider being passed in.

little-cartoon-10569

10/02/2024, 10:18 PM

But if you pass in an explicit provider that is "the same" as the default one, it'll work ok.

late-australia-13136

10/02/2024, 10:18 PM

I see! But since I’m passing the provider in manually that prevents the exception assumably?

little-cartoon-10569

10/02/2024, 10:18 PM

Yes

late-australia-13136

10/02/2024, 10:18 PM

Yeah that makes perfect sense, thanks for explaining!

4 Views

Open in Slack

Previous Next