Hi there all of a sudden i m getting the following error whe Pulumi Community #aws

Hi there, all of a sudden i'm getting the followin...

helpful-kitchen-78641

01/12/2021, 10:51 PM

Hi there, all of a sudden i'm getting the following error when trying to do a

pulumi up

pulumi refresh

using an S3 bucket as my backend:

Copy code

error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration

AFAIK nothing has changed in my

~/.aws/config

~/.aws/credentials

file. I've also tried specifying a profile as suggested here ( github.com/pulumi/pulumi-aws/issues/252#issuecomment-401405577 ) but i'm continuing to bang my head on this problem

billowy-army-68599

01/12/2021, 10:53 PM

Does aws sts get-caller-identity return the account you expect it to?

helpful-kitchen-78641

01/12/2021, 10:56 PM

yes, though i should add that the backend bucket is in one account (which is accessible via my

default

profile) and the resources it's creating are in another (

staging

). The

aws:profile

specified in my

Pulumi.stackname.yaml

has permission to create/modify those resources

helpful-kitchen-78641

01/12/2021, 10:57 PM

the accounts should have cross account access to this bucket, and this did work in the past and i'm a little lost why i just recently started getting this message

billowy-army-68599

01/13/2021, 12:19 AM

something to bear in mind, the credential provider for the bucket access and your pulumi program are slightly different, i can't help with debugging, but bear that in mind

helpful-kitchen-78641

01/13/2021, 12:24 AM

any thoughts on how to maybe get some more info? I've tried

-v=3

but it doesn't show anything extra

helpful-kitchen-78641

01/13/2021, 12:25 AM

and would

AWS_SDK_LOAD_CONFIG=1

make the credentials provider more similar?

helpful-kitchen-78641

01/13/2021, 12:27 AM

thanks for that additional info on the credentials provider though, it might give me a new wall to bang my head against lol

billowy-army-68599

01/13/2021, 12:29 AM

-v=9 --logtostderr

billowy-army-68599

01/13/2021, 12:31 AM

@helpful-kitchen-78641 the error is coming from the provider: https://github.com/pulumi/pulumi-aws/blob/977a37d229d67a024220ed7eb197625922b9b0ce/provider/resources.go#L252

billowy-army-68599

01/13/2021, 12:31 AM

not the bucket, which is configured in the CLI

billowy-army-68599

01/13/2021, 12:32 AM

if you do:

Copy code

export AWS_PROFILE=<your profile name>
aws sts get-caller-identity

billowy-army-68599

01/13/2021, 12:32 AM

does it work?

billowy-army-68599

01/13/2021, 12:32 AM

also are you using aws sso?

helpful-kitchen-78641

01/13/2021, 12:37 AM

aws sts get-caller-identity

appears to work, with an appended

/botocore-session-16[....]

to the account/role i would expect to see, and we are not using aws sso

helpful-kitchen-78641

01/13/2021, 12:38 AM

another "interesting" thing i just noticed,

pulumi preview --diff

has no problems

16 Views

Open in Slack

Previous Next