https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# aws
s
This message was deleted.
f
Oh, and btw, I’m using 
@pulumi/eks/Cluster
, but I just realized there’s also 
@pulumi/aws/eks/Cluster
which seems lower-level. I’m assuming it’s simpler to use the higher-level 
@pulumi/eks/Cluster
because it sets up a bunch of other resources automatically for us, right?
OK, I think I will need a different AWS provider for each region… 🤔
w
Presumably, this region is different than the default region set in your stack config. In which case, you can programmatically create a new provider where you specify the region. E.g.:
Copy code
const eastRegion = new aws.Provider("east", {
        profile: aws.config.profile,
        region: "us-east-1", // Per AWS, ACM certificate must be in the us-east-1 region.
    });

    const certificate = new aws.acm.Certificate("certificate", {
        domainName: config.targetDomain,
        validationMethod: "DNS",
    }, { provider: eastRegion });
Right 🙂
f
Thanks @witty-candle-66007! However, now when I try to create a new 
eks.Cluster
using the new provider with the specific region, I get this error:
Copy code
Error: providerCredentialOpts and an AWS provider instance must be set together
I see that 
providerCredentialOpts
property on the cluster object, with 
roleArn
and 
profileName
children, but I’m not sure what to put there. Can’t I just use the same defaults that would be used with default region?
w
f
Thanks Mitch, yes I had seen that section, but was not sure what it really meant and if it really applied here. I guess it does, because of this:
Creating and using a new AWS provider instance
but I’m still unclear on what it’s expecting for 
roleArn
and `profileName`… 🤔
w
Here are the eks examples: https://github.com/pulumi/pulumi-eks/tree/master/examples The aws-profile-role and aws-profile examples may help. I think profileName in this context refers to a profile set up with the aws cli (found under ~/.aws).
f
Thanks once more @witty-candle-66007, I’m looking into those examples right now! 👍
Good Monday @witty-candle-66007! I have made progress on that front, but getting other permission errors during EKS cluster creation:
Copy code
kubernetes:core/v1:ConfigMap (dummyon-nodeAccess):
    error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials

  eks:index:VpcCni (dummyon-vpc-cni):
    error: Command failed: kubectl apply -f /tmp/tmp-19308DzDMtCicc4nD.tmp
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
Here’s an excerpt from my pulumi code, here above👆
The 
pulumi
user mentioned in above code is granted 
AdministratorAccess
in IAM.
And the AWS 
default
profile I’m using to run Pulumi is configured with my personal Access Key, also granted 
AdministratorAccess
.
All other resources, including the EKS cluster itself get created successfully. Only the creation of the VPC CNI and the 
aws-auth
ConfigMap fail.
Any idea what could be going wrong? 🤔
w
I asked the team to take a look as well and it’s not obvious what the issue is. The error message appears to be indicating that you can’t authenticate to the k8s cluster from your deployment machine. But if you are using your personal admin-level key, it seems like that shouldn’t be the case.
f
Thanks a lot for looking into that, really appreciated! 👍
Hey @witty-candle-66007, here’s a stripped down minimal project that reproduces the issue. Thank you so much for looking into that! 🙂
eks-cluster.zip
50 Views
Open in Slack
PreviousNext
Powered by