edit: sorry, it’s late - i see you did. can you de...
# aws
edit: sorry, it’s late - i see you did. can you describe what’s not working?
i have setup AWS SSO and that is working as it should. I can switch between profiles and if i call
aws sts get-caller-identity
it will return the correct account id depending on the profile i call it with. But when i try to define a profile in the stack config, it is not working. It will still try to get credentials from the .aws/credentials file and if those credentials are not for the correct AWS account, i will just get some 403 errors when pulumi tries to delete resources it does not have credentials to access. I already tried a few things, but i also cant figure out if it is even supported or not by pulumi, so i thought i'd ask here to see if anyone has experience in this 🙂
Do you refer to setting up an AWS profile using the AWS SSO functionality in AWS CLI v2? I think this may be an issue with lack of support in the AWS SDKs to handle such profiles. We have used AWS SSO (with AWS Control Tower) at clients and profiles set up using AWS CLI v2 has not worked for deploying solutions - we still have had to use the approach to copy temporary AWS profile info from the AWS SSO account list web page.
yea thats what im talking about. I was also wondering whether it is a problem on the pulumi end, or AWS end. What is strange though is that the calls in general using this --profile argument works: e.g if i call:
aws2 sts get-caller-identity
i will get my personal account but if i call
aws2 sts get-caller-identity --profile someProfile
i will get info from the other account. I would assume pulumi works by calling the cli in the same fashion? So really not sure where the problem is and why its not really working. 😕
The AWS CLI can handle those types of profiles, but code based on AWS SDKs cannot, currently. My guess is that Pulumi uses the AWS SDKs. It is the same problem with other tools, including AWS CDK.
i see... thats annoying. Do you have any idea if this is on the roadmap for the SDK and if so when?
I do not know when, but it is on the roadmap AFAIK.
ok, thanks for the help, i guess ill just copy credentials for now then and wait for the fix 🙂