https://pulumi.com logo
Join Slack
Powered by
Howdy peeps. I'm new to Pulumi, I am having issues...
# typescript
g
Howdy peeps. I'm new to Pulumi, I am having issues deploying. In my organisation I assume the role 
PowerUserAccess
with 
saml2aws
to the 
test
account and Pulumi seems to be ok pick up the credentials from the 
~/.aws/credentials
file and create resources. But I cannot create IAM policies with this role due to the policies on the role. We have another account - 
control
that does our deployments for us. If I login to it with 
saml2aws
and modify that stacks 
pulumi.dev.yaml
file to have this:
Copy code
config:
  aws:assumeRole:
    roleArn: arn:aws:iam::<<test acc id>>:role/ExternalDeployer
  aws:region: ap-southeast-2
  prima-data-ingestion:vpcId:
    secure: <<VPC ID>>
When I 
pulumi up
I get:
Copy code
error: Error: invocation of aws:kms/getKey:getKey returned an error: unable to validate AWS credentials. Make sure you have:

         • Set your AWS region, e.g. `pulumi config set aws:region us-west-2`
         • Configured your AWS credentials as per <https://pulumi.io/install/aws.html>
         You can also set these via cli using `aws configure`.


        at Object.callback (/home/rhys/projects/pulumi/deploy/node_modules/@pulumi/runtime/invoke.ts:159:33)
        at Object.onReceiveStatus (/home/rhys/projects/pulumi/deploy/node_modules/@grpc/grpc-js/src/client.ts:338:26)
        at Object.onReceiveStatus (/home/rhys/projects/pulumi/deploy/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
        at Object.onReceiveStatus (/home/rhys/projects/pulumi/deploy/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
        at /home/rhys/projects/pulumi/deploy/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
        at processTicksAndRejections (internal/process/task_queues.js:77:11)
If I run 
aws configure
and set the 
Access Key ID
and 
Secret Access Key
, set the correct 
region
and leave the output format as 
None
it doesn't make any difference. I have also tried to put this information and the 
token
into 
~/.aws/credentials
and it still has the same issue? How do I get Pulumi to use the role for Deployments? In Terraform it was as simple as adding this block to the AWS provider:
Copy code
assume_role {
    role_arn = "arn:aws:iam::<<test acc id>>:role/ExternalDeployer"
  }
(and I use actual values 
<<test acc id>>
- just not going to put them on Slack just fyi) Thanks in advance.
If anyone comes across this, I figured it out. In the 
Pulumi.<<stack>>.yaml
I needed to skip credentials validation so the config looks like this:
Copy code
config:
  aws:assumeRole:
    roleArn: arn:aws:iam::<<Account_id>>:role/RoleName
  aws:skipCredentialsValidation: true
g
oh, yeah, this is a new "feature" (bug) in AWS provider. Very unintuitive to debug ... even when I had AWS env vars set, pulumi complained
2 Views
Open in Slack
PreviousNext
Powered by