https://pulumi.com
Join Slack
Does anybody know how to stop Pulumi using system ~/.aws/credentials? I have this defined in my Pulu...
# getting-started
l
Does anybody know how to stop Pulumi using system ~/.aws/credentials? I have this defined in my Pulumi.yaml but it doesn’t seem to make any difference?
Copy code
runtime: go

config:
    pulumi:disable-default-providers: ["*"]

    pulumi:tags:
        value:
            pulumi:template: aws-go
I’m also explicitly creating the provider and using credentials from environment variables, if I run 
pulumi up
without providing these environment variables pulumi uses system credentials even though default providers should be disabled?
Copy code
package internal

import (
	"os"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

const (
	PROVIDER_NAME = "custom-aws-provider"
)

func InitAwsProvider(ctx *pulumi.Context) error {
	provider, err := aws.NewProvider(ctx, PROVIDER_NAME, NewAwsProviderArgs(), nil)

	if err != nil {
		return err
	}

	ctx.RegisterStackTransformation(
		func(args *pulumi.ResourceTransformationArgs) *pulumi.ResourceTransformationResult {
			return &pulumi.ResourceTransformationResult{
				Props: args.Props,
				Opts:  append(args.Opts, pulumi.Provider(provider)),
			}
		},
	)

	return nil
}

func NewAwsProviderArgs() *aws.ProviderArgs {
	return &aws.ProviderArgs{
		AccessKey: pulumi.String(os.Getenv("AWS_ACCESS_KEY_ID")),
		SecretKey: pulumi.String(os.Getenv("AWS_SECRET_ACCESS_KEY")),
		Region:    pulumi.String(os.Getenv("AWS_REGION")),
	}
}
l
That's expected behaviour. If you want it to use only the env vars and the env vars aren't set, then you'll need to throw an exception at that time.
BTW, you are using permanent credentials. Can I recommend short-lived credentials? You need a session token.
l
Is there no way I can disable use of local credentials entirely?
Yeah! I was trying to work out how to add short lived credentials, can you link me to the documentation for AWS? I only found seemingly outdated documentation?
l
The loading of local credentials is part of AWS' SDK, so no, you can't do it "inside" the Provider. You can do it in your 
NewAwsProviderArgs
function easily.
l
Okay, no problem. I’ll verify the existence of the environment variables in that function. What is the purpose of 
pulumi:disable-default-providers: ["*"]
in such a case?
l
I recommend this starting point for the credentials question.: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way
l
Perfect, I’ll take a look. I appreciate the help 👍
l
pulumi:disable-default-providers: ["*"]
will cause Pulumi to throw an exception any time a resource is constructed without an explicit provider being passed in.
But if you pass in an explicit provider that is "the same" as the default one, it'll work ok.
l
I see! But since I’m passing the provider in manually that prevents the exception assumably?
l
Yes
l
Yeah that makes perfect sense, thanks for explaining!
3 Views
Open in Slack
PreviousNext
Powered by

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Powered by