https://pulumi.com logo
#aws
Title
# aws
b

big-potato-91793

02/16/2021, 7:28 PM
Copy code
error: 1 error occurred:
     	* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
     
     Please see <https://registry.terraform.io/providers/hashicorp/aws>
     for more information about providing credentials.
     
     Error: NoCredentialProviders: no valid providers in chain. Deprecated.
     	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
Getting this error? But we are passing the
aws:profile
to a good value. What should cause this?
the
aws:region
was also set.
l

little-cartoon-10569

02/16/2021, 8:33 PM
In my experience, there are 3 different groups of consumers of the AWS config: Pulumi AWS providers (often just the default one), the S3 Pulumi backend, and any function-like components that Pulumi packages for you (like Lambdas and Event Rules).
Do you know which one is complaining?
The S3 backend is (iirc) not configurable and only uses the default vaules from the env vars or passed in on the command line.
The Pulumi AWS providers are configurable in the same way and via the normal provider configuration in source code.
And the function-like components always confuse me and I have to figure it out afresh, each time.
b

brave-planet-10645

02/16/2021, 8:50 PM
If it doesn't let me know
b

billowy-army-68599

02/16/2021, 8:53 PM
@big-potato-91793 this is coming from the provider. Few questions - are you using aws sso? - does
aws sts get-caller-identity
from the same machine work? - how is your aws profile configured?
b

big-potato-91793

02/16/2021, 8:59 PM
Thx for all the response. I’m only getting trying to deploy this via gitlab-ci. • I ’m trying to create a Certificate in aws in
eu-central-1
region but using my runner that live in
us-east-1
. I create my own provider to set the region correctly.
I’m using the s3 backend. Since my deployment is doing a multi region deployment. I create my provider for each region
w

white-balloon-205

02/16/2021, 9:12 PM
Is it possible the issues you are hitting here are https://github.com/pulumi/pulumi-aws/issues/1316? That was fixed recently, but the fix may not yet be in the latest
aws
provider release.
b

big-potato-91793

02/16/2021, 9:26 PM
Yep miight be. I’m using the latest
pulumi-aws
@white-balloon-205 should I try to downgrade the version of the aws provider?
b

billowy-army-68599

02/16/2021, 9:35 PM
you said you're using a runner, can you add a step before you run pulumi in your CI config that does
aws sts get-caller-identity
?
b

big-potato-91793

02/16/2021, 9:36 PM
@white-balloon-205 I can confirm that the version for me is working for me with
3.23
of aws provider of pulumi I try with
3.29
and I got the problem.
b

broad-dog-22463

02/16/2021, 10:44 PM
@big-potato-91793 I believe v3.29.1 will solve your problem - it has been released about 45 mins ago
(That’s a release on top of what you tried)
b

big-potato-91793

02/16/2021, 10:57 PM
Awesome 👏!! I will try it tomorrow thx for the update!
@broad-dog-22463 I’m still getting the error when using the
3.29.1
version.
b

broad-dog-22463

02/17/2021, 1:55 PM
mmhhhh I can test this to try it - the code that Luke mentioned above was certainly merged into that release
b

big-potato-91793

02/17/2021, 1:56 PM
Copy code
Updating (nonprod):
 [resource plugin aws-3.23.0] installing
 Downloading plugin: 73.74 MiB / 73.74 MiB  100.00% 1s
     pulumi:pulumi:Stack gateway-cert-nonprod running 
  ~  pulumi:providers:aws aws-eu-central-1 updating [diff: +skipCredentialsValidation,skipGetEc2Platforms,skipMetadataApiCheck,skipRegionValidation~version]
  ~  pulumi:providers:aws aws-eu-central-1 updated [diff: +skipCredentialsValidation,skipGetEc2Platforms,skipMetadataApiCheck,skipRegionValidation~version]
     aws:acm:Certificate cert-eu-central-1-intqa  error: 1 error occurred:
     pulumi:pulumi:Stack gateway-cert-nonprod  
     aws:acm:Certificate cert-eu-central-1-intqa **failed** 1 error
  
 Diagnostics:
   aws:acm:Certificate (cert-eu-central-1-intqa):
     error: 1 error occurred:
     	* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
     
     Please see <https://registry.terraform.io/providers/hashicorp/aws>
     for more information about providing credentials.
     
     Error: NoCredentialProviders: no valid providers in chain. Deprecated.
     	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
b

broad-dog-22463

02/17/2021, 1:56 PM
you on;y have aws:region set right? and nothing else
wait, that looks to be downloading 3.23.0 (from the diff)
b

big-potato-91793

02/17/2021, 1:57 PM
Copy code
$ npm ci
 > protobufjs@6.10.2 postinstall /builds/tm1/gateway-cert/pulumi/node_modules/protobufjs
 > node scripts/postinstall
 > @pulumi/aws@v3.29.1 install /builds/tm1/gateway-cert/pulumi/node_modules/@pulumi/aws
 > node scripts/install-pulumi-plugin.js resource aws v3.29.1
 [resource plugin aws-3.29.1] installing
 Downloading plugin: 74.68 MiB / 74.68 MiB  100.00% 1s
 added 281 packages in 6.276s
We also download the 3.29.1 🤔
b

broad-dog-22463

02/17/2021, 1:58 PM
ok, so that's ok
do you see 3.29.1 in your package-lock.json file?
(just checking it upgraded it correctly)
b

big-potato-91793

02/17/2021, 1:59 PM
Copy code
},
        "@pulumi/aws": {
            "version": "3.29.1",
            "resolved": "<https://registry.npmjs.org/@pulumi/aws/-/aws-3.29.1.tgz>",
            "integrity": "sha512-wbxalcwd6Q8WJ72Fr6QEuv0xc2+yghmz+QE0fGI9qA/bScZbsIkSnqnSQrQ4P1j5Q8gh6rJMHUvtjFyHQ1Lh7g==",
            "requires": {
                "@pulumi/pulumi": "^2.17.0",
                "aws-sdk": "^2.0.0",
                "builtin-modules": "3.0.0",
                "mime": "^2.0.0",
                "read-package-tree": "^5.2.1",
                "resolve": "^1.7.1"
            }
        },
b

broad-dog-22463

02/17/2021, 1:59 PM
ok so then the issue still persists
We can continue investigating it
sorry for this trouble 😕
b

big-potato-91793

02/17/2021, 2:00 PM
Indeed. np. Do you need something from my side to help you troubleshoot this?
b

broad-dog-22463

02/17/2021, 2:01 PM
no - just to be clear
this happens by default when setting aws:region and no other creds right?
b

big-potato-91793

02/17/2021, 2:04 PM
I got a deployment that run in the
us-east-1
. But I created my own aws provider base on the region I need to create some stuffs. Passing the awsRegion in my yaml file. and the
aws:profile
So this look like that
Copy code
export const stack = new Stack({
    environments: config.targets,
    productCode: config.productCode,
    inventoryCode: config.inventoryCode,
}).for(config.regions);
I create my stack in each of those region.
b

broad-dog-22463

02/17/2021, 2:05 PM
ok that helps us recreate this to ensure we fix it up
thanks
b

big-potato-91793

02/17/2021, 2:05 PM
So if i’m adding
us-west-2
i just need to add the region to my stack yaml
Copy code
this.provider = new Provider(`aws.${this.region}`, {
            profile,
            region: this.region,
        });
Just to add. I need to redestroy my stack to make it possible to redeploy with the
3.23
since looks like the
3.29.1
is creatiing the error 😬
b

broad-dog-22463

02/17/2021, 2:15 PM
nah you sholdn't need to destroy
pulumi plugin rm resource aws 3.29.1
and then ensure you npm install 3.23.0
and it will rid your env of 3.29.1
b

billowy-army-68599

02/17/2021, 2:29 PM
@big-potato-91793 this is running in a ci runner right?
b

big-potato-91793

02/17/2021, 2:29 PM
Yeah @billowy-army-68599 with gitlab-ci
b

billowy-army-68599

02/17/2021, 2:30 PM
how are you passing credentials to your profile?
b

big-potato-91793

02/17/2021, 2:30 PM
My runner assume an aws iam role to give i’m the access.
b

billowy-army-68599

02/17/2021, 2:32 PM
if that's the case, why are you setting
aws:profile
? can you add a gitlab step before the pulumi run that verifies the role you have (eg
aws sts get-caller-identity
)
b

big-potato-91793

02/17/2021, 2:58 PM
Adding this for testing locally.
because i'm using my profile locally
not the iam. But I can get you the result of the
aws sts get-caller-identity
soon. If I puth or not the
profile
I’m getting the error in the ci. But I can retry.
b

billowy-army-68599

02/17/2021, 3:27 PM
@big-potato-91793 so just so I'm understanding correctly, you have an AWS profile on your local machine, and the
up
works, but the run fails on the gitlab runner? did you configure your profile on the gitlab runner>
b

big-potato-91793

02/17/2021, 3:29 PM
The runner is assuming a IAM role giving him the same right has me. Both work with the
3.23
version of the provider.
b

broad-dog-22463

02/17/2021, 3:30 PM
wait a minute!!!
ok, I see the issue
you are running pulumi using an IAM profile so not directly with credentials
can you add this to your stack file please
Copy code
pulumi config set aws:skipMetadataApiCheck false
can you ensure that is in your stackfile for the CI runner
the defaults of this value mean that pulumi will be allowed to authenticate via the Metadata API
the defaults of that specific call were changed in v3.28.1 of the Pulumi to make the interaction of the provider and aws faster
b

big-potato-91793

02/17/2021, 3:40 PM
@billowy-army-68599
Copy code
$ aws sts get-caller-identity
00:01
 {
     "UserId": "XXXXX-GitRunner",
     "Account": "XXXXXXXX",
     "Arn": "arn:aws:sts::XXXXXX:assumed-role/GitRunner/XXXXXX-GitRunner"
 }
 Job succeeded
b

billowy-army-68599

02/17/2021, 3:42 PM
okay, can you try what @broad-dog-22463 suggested, and if that doesn't work can you remove the
aws:profile
config option. My suspicion is that you're trying to invoke an AWS profile that doesn't exist on your runner
b

big-potato-91793

02/17/2021, 3:43 PM
Yep will try. Just annoying when trying to deploy locallly 😬 and in the ci..
b

billowy-army-68599

02/17/2021, 3:43 PM
if you want to use the profile locally, you can set the
AWS_PROFILE
environment variable or setup the profile on your runner
for example, this needs to exist on your runner
Copy code
aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile       pulumi-dev-sandbox           manual    --profile
b

big-potato-91793

02/17/2021, 3:49 PM
Yep I’m already setting this up locally. I can’t have a role on the runner since it’s running inside a k8s pod runner. In a ec2 instance this will have been easy. Trying now the solution from paul.
Only adding the value on the stack file didn’t solve the problem. Trying to remove the profile.
Stll having the error.
b

broad-dog-22463

02/17/2021, 4:01 PM
ok @big-potato-91793 I think we are going to have to jump on a call and see if we can solve this
For now, can you downgrade again to the version that works and then can we schedule something tomorrow morning your time? (I am giving a talk at a conference this afternoon so am AFK)
b

big-potato-91793

02/17/2021, 4:02 PM
Yep.. Will be better I think since I don’t want to copy paste some element from my company
b

broad-dog-22463

02/17/2021, 4:02 PM
feel free to add what time suits you and we will try and get to the bottom of it
b

big-potato-91793

02/17/2021, 4:04 PM
Just schedule something. Let me know if that is alright with you!
b

broad-dog-22463

02/17/2021, 4:10 PM
works for me!
@big-potato-91793 I just opened this specific issue - https://github.com/pulumi/pulumi-aws/issues/1359
This should capture everything we just spoke about
b

big-potato-91793

02/18/2021, 2:26 PM
thx @broad-dog-22463 :)
b

broad-dog-22463

02/18/2021, 2:26 PM
👍
you will be able to subscribe to that issue now to see how it progresses
a

adamant-translator-31969

02/18/2021, 4:04 PM
@broad-dog-22463 is it related to https://github.com/pulumi/pulumi-aws/issues/1340 ?
b

broad-dog-22463

02/18/2021, 4:04 PM
possibly - I can't be sure tbh until we try and track down the issue
Morning @big-potato-91793 got some more values for you to try - I have successfully used Pulumi in an Ec2 instance with an IAM Role here:
Copy code
pulumi config set aws:skipCredentialsValidation false
pulumi config set aws:skipGetEc2Platforms false
pulumi config set aws:skipMetadataApiCheck false
I believe you need all 3 of them!
We only tested 2 in your system last time
b

big-potato-91793

02/24/2021, 2:11 PM
Ok nice 🙂. I can give it a go soon today and give you feedback 🙂
b

broad-dog-22463

02/24/2021, 2:12 PM
👍
thank you!
Hi @big-potato-91793 any success with those config values?
b

big-potato-91793

02/24/2021, 6:42 PM
Nah didn’t have the time this morning 😞 … will try soon I promise 🙂
b

broad-dog-22463

02/24/2021, 6:49 PM
no worries 🙂 Just saw you mentioned it on another issue haha
b

big-potato-91793

02/24/2021, 8:31 PM
I’m getting the same error. Putting this in the stack config and also in the place where I create my aws provider
b

broad-dog-22463

02/24/2021, 8:35 PM
This is so weird - we have reverted Everything that changed with that.... something else must be happening in the provider
b

big-potato-91793

02/24/2021, 8:44 PM
Anything I can do to help you debug this?
b

broad-dog-22463

02/24/2021, 8:46 PM
I guess stepping through each version would be amazing 😄 Kidding of course!
b

big-potato-91793

02/24/2021, 8:49 PM
hehe 🤣
Do you have a new aws provider so I can test with maybe 😛 ?
b

broad-dog-22463

02/24/2021, 9:53 PM
Can you try with 3.28.0? That’ll rule out any of those changes we have been testing so far
b

big-potato-91793

02/25/2021, 11:39 AM
sure
It works 🙂
b

broad-dog-22463

02/25/2021, 1:43 PM
ok, that helps....
that you!
@big-potato-91793 I've jsut realised
(from a GitHub issue comment)
You need to set those 3 values in your Provider code NOT the config file
as you are not using default providers
can you try 1 more time for me?
b

big-potato-91793

02/25/2021, 2:08 PM
Yep it works with this
Copy code
this.provider = new Provider(`aws.${this.region}`, {
            skipCredentialsValidation: false,
            skipMetadataApiCheck: false,
            skipGetEc2Platforms: false,
            region: this.region,
});
and the version
3.28
of the aws provider.
I’m trying right now with removing the default provider value to be sure. After, try to uprade the provider maybe?
b

broad-dog-22463

02/25/2021, 2:09 PM
did you try the latest provider with all 3 of those variables set?
b

big-potato-91793

02/25/2021, 2:10 PM
I’m trying right now 😛 , waiting on the pipeline
Copy code
error: getting secrets manager: yaml: line 13: could not find expected ':'
Getting that weird error 🤔
Forget about it 🙂 🤦‍♂️
b

broad-dog-22463

02/25/2021, 2:24 PM
that looks something your side 😉
b

big-potato-91793

02/25/2021, 2:25 PM
yeah my bad ahah. I saw that 😛
Getting the error with
3.30.1
b

broad-dog-22463

02/25/2021, 2:31 PM
the same error??
when setting all 3 values to your provider config block?
b

big-potato-91793

02/25/2021, 2:37 PM
Yes I got nothing on the stack file except the aws region
Copy code
this.provider = new Provider(`aws.${this.region}`, {
            skipCredentialsValidation: false,
            skipMetadataApiCheck: false,
            skipGetEc2Platforms: false,
            region: this.region,
        });
Copy code
error: 1 error occurred:
     	* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
     
     Please see <https://registry.terraform.io/providers/hashicorp/aws>
     for more information about providing credentials.
     
     Error: NoCredentialProviders: no valid providers in chain. Deprecated.
     	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
b

broad-dog-22463

02/25/2021, 2:39 PM
and you are definitely using that provider in resource options right? I am just confused how it works for the person in github and not you 😕
b

big-potato-91793

02/25/2021, 2:40 PM
Copy code
return new aws.acm.Certificate(`cert-${context.region}-${context.environment}`, {
        certificateChain: '',
        certificateBody: '',
        privateKey: '',
        tags: context.tags,
    }, {
        provider: context.provider,
    });
It’s only one resource my current project so. Really hard to forgot on multiples 😛
b

broad-dog-22463

02/25/2021, 2:48 PM
and that context is definitely being set with the correct Provider (i.e with those values set)?
b

big-potato-91793

02/25/2021, 2:49 PM
yes the
context.prvider
is referring to the new Provider that you’re seeing with the 3 skip set to false
any news @broad-dog-22463?
b

broad-dog-22463

03/10/2021, 6:59 PM
@big-potato-91793 ok, we found the source of the codegen bug
I just tested things and we are looking better
so PRs will start to flow
sorry for the time here
b

big-potato-91793

03/10/2021, 7:03 PM
hehe no problem. Happy to help.. I was able to find some times to contribute to pulumi I will be happy 🙂
b

broad-dog-22463

03/11/2021, 7:25 PM
so ..... @big-potato-91793 canyou do me a huge favour?
can you try pulumi-aws v3.32.1 and try and set those values (that I talked to you above above) in the named provider block
b

big-potato-91793

03/11/2021, 7:29 PM
Yep can try this soon
b

broad-dog-22463

03/11/2021, 7:31 PM
thanks!
b

big-potato-91793

03/12/2021, 2:55 PM
It seems to have work! The only things was that I needed to do the
up
first on my laptop so the provider has the good params and after I was able to do the preivew.
b

broad-dog-22463

03/12/2021, 5:24 PM
👌
success 🙂
this is great news 🙂
b

big-potato-91793

03/12/2021, 7:00 PM
Just feel weird that I need to upgrade the version of the aws provider on my laptop first when running
up
. I was thinking that this will be automatic and not generating the error when upgrading the provider