good afternoon i ve got a weird issue that i hope might piqu Pulumi Community #pulumi-cloud

good afternoon! i've got a weird issue that i hope...

steep-secretary-65224

11/07/2024, 7:45 PM

good afternoon! i've got a weird issue that i hope might pique somebody's curiosity. i have a project (all AWS provider and configured to use OIDC) that's working just fine in

us-east-1

. i added a second stack to use

aws:region: eu-central-2

and then the preview fails with

Copy code

Diagnostics:
  pulumi:pulumi:Stack (networking-xxx-stg.eu-central-2):
    error: awsx:ec2:Vpc resource 'xxx' has a problem: grpc: the client connection is closing
 
  pulumi:providers:aws (default_6_47_0):
    error: pulumi:providers:aws resource 'default_6_47_0' has a problem: Invalid credentials configured.

so here's the fun part. i set

AWS_REGION=eu-central-2

for that stack and it worked. looking into the cloudtrail logs, it looks the one that failed was issued an access key from

us-east-1

. the one that succeeded was issued from

eu-central-2

. this leads me to believe that the ENV var is influencing whatever you run initially to do the

AssumeRoleWithWebIdentity

(from the deployment logs, it looks like its calling

pulumi-deploy-executor oidc ...

) considering this isn't documented anywhere when talking about configuring the regions, i'm assuming this is not expected?

steep-secretary-65224

11/07/2024, 7:46 PM

we don't have anything in our IAM policy for the role that should impact it. and as far as i can tell we don't have any sort of weird SCP that says something along the lines of

DENY if resource.region != token.region

steep-secretary-65224

11/07/2024, 7:51 PM

looking at the deployment logs, fetching the credentials happens before the source is downloaded, so it's impossible for it to be using the

aws:config

value in any way

141 Views

Open in Slack

Previous Next