https://pulumi.com logo
#aws
Title
# aws
h

helpful-kitchen-78641

01/12/2021, 10:51 PM
Hi there, all of a sudden i'm getting the following error when trying to do a
pulumi up
or
pulumi refresh
using an S3 bucket as my backend:
Copy code
error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration
AFAIK nothing has changed in my
~/.aws/config
or
~/.aws/credentials
file. I've also tried specifying a profile as suggested here ( github.com/pulumi/pulumi-aws/issues/252#issuecomment-401405577 ) but i'm continuing to bang my head on this problem
b

billowy-army-68599

01/12/2021, 10:53 PM
Does aws sts get-caller-identity return the account you expect it to?
h

helpful-kitchen-78641

01/12/2021, 10:56 PM
yes, though i should add that the backend bucket is in one account (which is accessible via my
default
profile) and the resources it's creating are in another (
staging
). The
aws:profile
specified in my
Pulumi.stackname.yaml
has permission to create/modify those resources
the accounts should have cross account access to this bucket, and this did work in the past and i'm a little lost why i just recently started getting this message
b

billowy-army-68599

01/13/2021, 12:19 AM
something to bear in mind, the credential provider for the bucket access and your pulumi program are slightly different, i can't help with debugging, but bear that in mind
h

helpful-kitchen-78641

01/13/2021, 12:24 AM
any thoughts on how to maybe get some more info? I've tried
-v=3
but it doesn't show anything extra
and would
AWS_SDK_LOAD_CONFIG=1
make the credentials provider more similar?
thanks for that additional info on the credentials provider though, it might give me a new wall to bang my head against lol
b

billowy-army-68599

01/13/2021, 12:29 AM
-v=9 --logtostderr
not the bucket, which is configured in the CLI
if you do:
Copy code
export AWS_PROFILE=<your profile name>
aws sts get-caller-identity
does it work?
also are you using aws sso?
h

helpful-kitchen-78641

01/13/2021, 12:37 AM
aws sts get-caller-identity
appears to work, with an appended
/botocore-session-16[....]
to the account/role i would expect to see, and we are not using aws sso
another "interesting" thing i just noticed,
pulumi preview --diff
has no problems
2 Views