could someone help me understand how pulumi updates the kubeconfig on EKS? my colleagues and my CI are having a heck of a time authenticating. Right now my CI is having

configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials

. We have a role that is defined in pulumi

rolemappings

for the cluster and I can confirm the IAM role is in aws-auth configmap. Anyone can auth to the cluster with k9s or kubectl using this role, but if anyone tries to do pulumi commands we get this auth error above. I can do anything beause I created the cluster I guess. I even tried using a different test account and have no issues, but my colleagues and my CI is broken. I am not using a providercredentialopts so pulumi is using whatever profile is in the default profile.

Did you set

creationRoleProvider

when you created the cluster? I ran into this issue when I first set up EKS and my solution was to use this parameter with a shared admin role. If you don't do this, the cluster is created with whatever your current AWS credentials are.

no i did not how interesting

I might've fixed this by editing my state file directly, but you also might be able to fix by just setting

creationRoleProvider

and updating the program.

interesting