edit sorry it s late i see you did can you describe what s n Pulumi Community #aws

Join Slack

edit: sorry, it’s late - i see you did. can you de...

# aws

sparse-state-34229

04/20/2020, 9:09 AM

edit: sorry, it’s late - i see you did. can you describe what’s not working?

great-postman-59271

04/20/2020, 9:15 AM

i have setup AWS SSO and that is working as it should. I can switch between profiles and if i call

aws sts get-caller-identity

it will return the correct account id depending on the profile i call it with. But when i try to define a profile in the stack config, it is not working. It will still try to get credentials from the .aws/credentials file and if those credentials are not for the correct AWS account, i will just get some 403 errors when pulumi tries to delete resources it does not have credentials to access. I already tried a few things, but i also cant figure out if it is even supported or not by pulumi, so i thought i'd ask here to see if anyone has experience in this 🙂

quaint-hydrogen-7228

04/21/2020, 6:44 AM

Do you refer to setting up an AWS profile using the AWS SSO functionality in AWS CLI v2? I think this may be an issue with lack of support in the AWS SDKs to handle such profiles. We have used AWS SSO (with AWS Control Tower) at clients and profiles set up using AWS CLI v2 has not worked for deploying solutions - we still have had to use the approach to copy temporary AWS profile info from the AWS SSO account list web page.

great-postman-59271

04/21/2020, 9:40 AM

yea thats what im talking about. I was also wondering whether it is a problem on the pulumi end, or AWS end. What is strange though is that the calls in general using this --profile argument works: e.g if i call:

aws2 sts get-caller-identity

i will get my personal account but if i call

aws2 sts get-caller-identity --profile someProfile

i will get info from the other account. I would assume pulumi works by calling the cli in the same fashion? So really not sure where the problem is and why its not really working. 😕

quaint-hydrogen-7228

04/21/2020, 12:01 PM

The AWS CLI can handle those types of profiles, but code based on AWS SDKs cannot, currently. My guess is that Pulumi uses the AWS SDKs. It is the same problem with other tools, including AWS CDK.

great-postman-59271

04/21/2020, 12:35 PM

i see... thats annoying. Do you have any idea if this is on the roadmap for the SDK and if so when?

quaint-hydrogen-7228

04/21/2020, 1:06 PM

I do not know when, but it is on the roadmap AFAIK.

great-postman-59271

04/22/2020, 6:24 AM

ok, thanks for the help, i guess ill just copy credentials for now then and wait for the fix 🙂

Open in Slack

Previous Next