Hi all👋, I'm running into an issue which I assume is down to me just missing something. I'm trying to: 1. create an AWS account 2. create a AWS Provider using the auto-create admin role for said account 3. use the Provider to create an s3 bucket in that new account However, I'm getting the following error upon trying to create the bucket.

aws:s3:BucketV2 (corridor.dev.BucketV2):
    error:   sdk-v2/provider2.go:509: sdk.helper_schema: creating S3 Bucket (corridor.dev.backend): operation error S3: CreateBucket, https response error StatusCode: 403, RequestID: 703D7JGSHBVTGASK, HostID: g871I2Ez8X1AnVPnZCvshAMmoUsaTTPwtKLdT+KPT8vIruUokT9FLITxEoSwsoaDli+uo0b1H6E=, api error NotSignedUp: Your account is not signed up for the S3 service. You must sign up before you can use S3.: provider=aws@6.77.0
    error: 1 error occurred:
    	* creating S3 Bucket (corridor.dev.backend): operation error S3: CreateBucket, https response error StatusCode: 403, RequestID: 703D7JGSHBVTGASK, HostID: g871I2Ez8X1AnVPnZCvshAMmoUsaTTPwtKLdT+KPT8vIruUokT9FLITxEoSwsoaDli+uo0b1H6E=, api error NotSignedUp: Your account is not signed up for the S3 service. You must sign up before you can use S3.

It subsequently succeeds on the second attempt of running

pulumi up

. Is there something I should be doing to check account creation and roles are ready before continuing on wit the Provider and s3 setup? Currently my code for the above process looks something like

const org = OrganizationalUnit(...)

const account = new aws.organizations.Account(
  "Account",
  {
    parentId: org.id,
    email: "<mailto:an.email@domain.com|an.email@domain.com>",
    roleName: "OrganizationalAccountAccessRole",
    closeOnDeletion: true,
  },
  { parent: org },
);

const provider = new aws.Provider(
  "Provider",
  {
    allowedAccountIds: [account.id],
    assumeRole: {
      roleArn: pulumi.interpolate`arn:aws:iam::${account.id}:role/${account.roleName}`,
    },
  },
  { parent: account },
);

const bucket = new aws.s3.BucketV2(
  "Bucket",
  { bucket: "backend" },
  { parent: account },
);

permissions and accounts in aws sometimes take a little bit to synchronise. This is a good example of needing retry options (https://github.com/pulumi/pulumi/issues/7932) or a post-create hook (https://github.com/pulumi/pulumi/issues/1691) to add custom await logic to not carry on with the program till the account reports the right permissions.

You could try using the AWS CloudControl provider instead for creating the account: https://www.pulumi.com/registry/packages/aws-native/api-docs/organizations/account/ AWS CloudControl integrates with the same handlers AWS CloudWatch uses under the hood. Those can hook into internal AWS APIs to wait for roles and the like to be propagated. I haven't tested if they've also added wait logic for organization Accounts, but they've done that for IAM roles in order to get around eventual consistency issues. Worth a try!

Ah thanks both, I was both worried that'd be the case but also haven't taken the time to explore the aws-native constructs so I'll give that a go

I generally advise against

aws-native

because it is built on top of cloudformation and way slower than traditional API. Another option you can try is to introduce a delay https://www.pulumi.com/registry/packages/time/