https://pulumi.com logo
Powered by
Title
h

helpful-kitchen-78641

01/12/2021, 10:51 PM
Hi there, all of a sudden i'm getting the following error when trying to do a 
pulumi up
or 
pulumi refresh
using an S3 bucket as my backend: 
error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration
AFAIK nothing has changed in my 
~/.aws/config
or 
~/.aws/credentials
file. I've also tried specifying a profile as suggested here ( github.com/pulumi/pulumi-aws/issues/252#issuecomment-401405577 ) but i'm continuing to bang my head on this problem
b

billowy-army-68599

01/12/2021, 10:53 PM
Does aws sts get-caller-identity return the account you expect it to?
h

helpful-kitchen-78641

01/12/2021, 10:56 PM
yes, though i should add that the backend bucket is in one account (which is accessible via my 
default
profile) and the resources it's creating are in another (
staging
). The 
aws:profile
specified in my 
Pulumi.stackname.yaml
has permission to create/modify those resources
the accounts should have cross account access to this bucket, and this did work in the past and i'm a little lost why i just recently started getting this message
b

billowy-army-68599

01/13/2021, 12:19 AM
something to bear in mind, the credential provider for the bucket access and your pulumi program are slightly different, i can't help with debugging, but bear that in mind
h

helpful-kitchen-78641

01/13/2021, 12:24 AM
any thoughts on how to maybe get some more info? I've tried 
-v=3
but it doesn't show anything extra
and would 
AWS_SDK_LOAD_CONFIG=1
make the credentials provider more similar?
thanks for that additional info on the credentials provider though, it might give me a new wall to bang my head against lol
b

billowy-army-68599

01/13/2021, 12:29 AM
-v=9 --logtostderr
@helpful-kitchen-78641 the error is coming from the provider: https://github.com/pulumi/pulumi-aws/blob/977a37d229d67a024220ed7eb197625922b9b0ce/provider/resources.go#L252
not the bucket, which is configured in the CLI
if you do: 
export AWS_PROFILE=<your profile name>
aws sts get-caller-identity
does it work?
also are you using aws sso?
h

helpful-kitchen-78641

01/13/2021, 12:37 AM
aws sts get-caller-identity
appears to work, with an appended 
/botocore-session-16[....]
to the account/role i would expect to see, and we are not using aws sso
another "interesting" thing i just noticed, 
pulumi preview --diff
has no problems
#awsJoin Slack
Powered by