https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# aws
s
This message was deleted.
b
the 
aws:region
was also set.
l
In my experience, there are 3 different groups of consumers of the AWS config: Pulumi AWS providers (often just the default one), the S3 Pulumi backend, and any function-like components that Pulumi packages for you (like Lambdas and Event Rules).
Do you know which one is complaining?
The S3 backend is (iirc) not configurable and only uses the default vaules from the env vars or passed in on the command line.
The Pulumi AWS providers are configurable in the same way and via the normal provider configuration in source code.
And the function-like components always confuse me and I have to figure it out afresh, each time.
b
If it doesn't let me know
b
@big-potato-91793 this is coming from the provider. Few questions - are you using aws sso? - does 
aws sts get-caller-identity
from the same machine work? - how is your aws profile configured?
b
Thx for all the response. I’m only getting trying to deploy this via gitlab-ci. • I ’m trying to create a Certificate in aws in 
eu-central-1
region but using my runner that live in 
us-east-1
. I create my own provider to set the region correctly.
I’m using the s3 backend. Since my deployment is doing a multi region deployment. I create my provider for each region
w
Is it possible the issues you are hitting here are https://github.com/pulumi/pulumi-aws/issues/1316? That was fixed recently, but the fix may not yet be in the latest 
aws
provider release.
b
Yep miight be. I’m using the latest 
pulumi-aws
@white-balloon-205 should I try to downgrade the version of the aws provider?
b
you said you're using a runner, can you add a step before you run pulumi in your CI config that does 
aws sts get-caller-identity
?
b
@white-balloon-205 I can confirm that the version for me is working for me with 
3.23
of aws provider of pulumi I try with 
3.29
and I got the problem.
b
@big-potato-91793 I believe v3.29.1 will solve your problem - it has been released about 45 mins ago
(That’s a release on top of what you tried)
b
Awesome 👏!! I will try it tomorrow thx for the update!
@broad-dog-22463 I’m still getting the error when using the 
3.29.1
version.
b
mmhhhh I can test this to try it - the code that Luke mentioned above was certainly merged into that release
b
Copy code
Updating (nonprod):
 [resource plugin aws-3.23.0] installing
 Downloading plugin: 73.74 MiB / 73.74 MiB  100.00% 1s
     pulumi:pulumi:Stack gateway-cert-nonprod running 
  ~  pulumi:providers:aws aws-eu-central-1 updating [diff: +skipCredentialsValidation,skipGetEc2Platforms,skipMetadataApiCheck,skipRegionValidation~version]
  ~  pulumi:providers:aws aws-eu-central-1 updated [diff: +skipCredentialsValidation,skipGetEc2Platforms,skipMetadataApiCheck,skipRegionValidation~version]
     aws:acm:Certificate cert-eu-central-1-intqa  error: 1 error occurred:
     pulumi:pulumi:Stack gateway-cert-nonprod  
     aws:acm:Certificate cert-eu-central-1-intqa **failed** 1 error
  
 Diagnostics:
   aws:acm:Certificate (cert-eu-central-1-intqa):
     error: 1 error occurred:
     	* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
     
     Please see <https://registry.terraform.io/providers/hashicorp/aws>
     for more information about providing credentials.
     
     Error: NoCredentialProviders: no valid providers in chain. Deprecated.
     	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
b
you on;y have aws:region set right? and nothing else
wait, that looks to be downloading 3.23.0 (from the diff)
b
Copy code
$ npm ci
 > protobufjs@6.10.2 postinstall /builds/tm1/gateway-cert/pulumi/node_modules/protobufjs
 > node scripts/postinstall
 > @pulumi/aws@v3.29.1 install /builds/tm1/gateway-cert/pulumi/node_modules/@pulumi/aws
 > node scripts/install-pulumi-plugin.js resource aws v3.29.1
 [resource plugin aws-3.29.1] installing
 Downloading plugin: 74.68 MiB / 74.68 MiB  100.00% 1s
 added 281 packages in 6.276s
We also download the 3.29.1 🤔
b
ok, so that's ok
do you see 3.29.1 in your package-lock.json file?
(just checking it upgraded it correctly)
b
Copy code
},
        "@pulumi/aws": {
            "version": "3.29.1",
            "resolved": "<https://registry.npmjs.org/@pulumi/aws/-/aws-3.29.1.tgz>",
            "integrity": "sha512-wbxalcwd6Q8WJ72Fr6QEuv0xc2+yghmz+QE0fGI9qA/bScZbsIkSnqnSQrQ4P1j5Q8gh6rJMHUvtjFyHQ1Lh7g==",
            "requires": {
                "@pulumi/pulumi": "^2.17.0",
                "aws-sdk": "^2.0.0",
                "builtin-modules": "3.0.0",
                "mime": "^2.0.0",
                "read-package-tree": "^5.2.1",
                "resolve": "^1.7.1"
            }
        },
b
ok so then the issue still persists
We can continue investigating it
sorry for this trouble 😕
b
Indeed. np. Do you need something from my side to help you troubleshoot this?
b
no - just to be clear
this happens by default when setting aws:region and no other creds right?
b
I got a deployment that run in the 
us-east-1
. But I created my own aws provider base on the region I need to create some stuffs. Passing the awsRegion in my yaml file. and the 
aws:profile
So this look like that
Copy code
export const stack = new Stack({
    environments: config.targets,
    productCode: config.productCode,
    inventoryCode: config.inventoryCode,
}).for(config.regions);
I create my stack in each of those region.
b
ok that helps us recreate this to ensure we fix it up
thanks
b
So if i’m adding 
us-west-2
i just need to add the region to my stack yaml
Copy code
this.provider = new Provider(`aws.${this.region}`, {
            profile,
            region: this.region,
        });
Just to add. I need to redestroy my stack to make it possible to redeploy with the 
3.23
since looks like the 
3.29.1
is creatiing the error 😬
b
nah you sholdn't need to destroy
pulumi plugin rm resource aws 3.29.1
and then ensure you npm install 3.23.0
and it will rid your env of 3.29.1
b
@big-potato-91793 this is running in a ci runner right?
b
Yeah @billowy-army-68599 with gitlab-ci
b
how are you passing credentials to your profile?
b
My runner assume an aws iam role to give i’m the access.
b
if that's the case, why are you setting 
aws:profile
? can you add a gitlab step before the pulumi run that verifies the role you have (eg 
aws sts get-caller-identity
)
b
Adding this for testing locally. 
because i'm using my profile locally
not the iam. But I can get you the result of the 
aws sts get-caller-identity
soon. If I puth or not the 
profile
I’m getting the error in the ci. But I can retry.
b
@big-potato-91793 so just so I'm understanding correctly, you have an AWS profile on your local machine, and the 
up
works, but the run fails on the gitlab runner? did you configure your profile on the gitlab runner>
b
The runner is assuming a IAM role giving him the same right has me. Both work with the 
3.23
version of the provider.
b
wait a minute!!!
ok, I see the issue
you are running pulumi using an IAM profile so not directly with credentials
can you add this to your stack file please
Copy code
pulumi config set aws:skipMetadataApiCheck false
can you ensure that is in your stackfile for the CI runner
the defaults of this value mean that pulumi will be allowed to authenticate via the Metadata API
the defaults of that specific call were changed in v3.28.1 of the Pulumi to make the interaction of the provider and aws faster
b
@billowy-army-68599
Copy code
$ aws sts get-caller-identity
00:01
 {
     "UserId": "XXXXX-GitRunner",
     "Account": "XXXXXXXX",
     "Arn": "arn:aws:sts::XXXXXX:assumed-role/GitRunner/XXXXXX-GitRunner"
 }
 Job succeeded
b
okay, can you try what @broad-dog-22463 suggested, and if that doesn't work can you remove the 
aws:profile
config option. My suspicion is that you're trying to invoke an AWS profile that doesn't exist on your runner
b
Yep will try. Just annoying when trying to deploy locallly 😬 and in the ci..
b
if you want to use the profile locally, you can set the 
AWS_PROFILE
environment variable or setup the profile on your runner
for example, this needs to exist on your runner
Copy code
aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile       pulumi-dev-sandbox           manual    --profile
b
Yep I’m already setting this up locally. I can’t have a role on the runner since it’s running inside a k8s pod runner. In a ec2 instance this will have been easy. Trying now the solution from paul.
Only adding the value on the stack file didn’t solve the problem. Trying to remove the profile.
Stll having the error.
b
ok @big-potato-91793 I think we are going to have to jump on a call and see if we can solve this
For now, can you downgrade again to the version that works and then can we schedule something tomorrow morning your time? (I am giving a talk at a conference this afternoon so am AFK)
b
Yep.. Will be better I think since I don’t want to copy paste some element from my company
b
feel free to add what time suits you and we will try and get to the bottom of it
b
Just schedule something. Let me know if that is alright with you!
b
works for me!
@big-potato-91793 I just opened this specific issue - https://github.com/pulumi/pulumi-aws/issues/1359
This should capture everything we just spoke about
b
thx @broad-dog-22463 :)
b
👍
you will be able to subscribe to that issue now to see how it progresses
a
@broad-dog-22463 is it related to https://github.com/pulumi/pulumi-aws/issues/1340 ?
b
possibly - I can't be sure tbh until we try and track down the issue
Morning @big-potato-91793 got some more values for you to try - I have successfully used Pulumi in an Ec2 instance with an IAM Role here:
Copy code
pulumi config set aws:skipCredentialsValidation false
pulumi config set aws:skipGetEc2Platforms false
pulumi config set aws:skipMetadataApiCheck false
I believe you need all 3 of them!
We only tested 2 in your system last time
b
Ok nice 🙂. I can give it a go soon today and give you feedback 🙂
b
👍
thank you!
Hi @big-potato-91793 any success with those config values?
b
Nah didn’t have the time this morning 😞 … will try soon I promise 🙂
b
no worries 🙂 Just saw you mentioned it on another issue haha
b
I’m getting the same error. Putting this in the stack config and also in the place where I create my aws provider
b
This is so weird - we have reverted Everything that changed with that.... something else must be happening in the provider
b
Anything I can do to help you debug this?
b
I guess stepping through each version would be amazing 😄 Kidding of course!
b
hehe 🤣
Do you have a new aws provider so I can test with maybe 😛 ?
b
Can you try with 3.28.0? That’ll rule out any of those changes we have been testing so far
b
sure
It works 🙂
b
ok, that helps....
that you!
@big-potato-91793 I've jsut realised
(from a GitHub issue comment)
You need to set those 3 values in your Provider code NOT the config file
as you are not using default providers
can you try 1 more time for me?
b
Yep it works with this
Copy code
this.provider = new Provider(`aws.${this.region}`, {
            skipCredentialsValidation: false,
            skipMetadataApiCheck: false,
            skipGetEc2Platforms: false,
            region: this.region,
});
and the version 
3.28
of the aws provider.
I’m trying right now with removing the default provider value to be sure. After, try to uprade the provider maybe?
b
did you try the latest provider with all 3 of those variables set?
b
I’m trying right now 😛 , waiting on the pipeline
Copy code
error: getting secrets manager: yaml: line 13: could not find expected ':'
Getting that weird error 🤔
Forget about it 🙂 🤦‍♂️
b
that looks something your side 😉
b
yeah my bad ahah. I saw that 😛
Getting the error with 
3.30.1
b
the same error??
when setting all 3 values to your provider config block?
b
Yes I got nothing on the stack file except the aws region
Copy code
this.provider = new Provider(`aws.${this.region}`, {
            skipCredentialsValidation: false,
            skipMetadataApiCheck: false,
            skipGetEc2Platforms: false,
            region: this.region,
        });
Copy code
error: 1 error occurred:
     	* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
     
     Please see <https://registry.terraform.io/providers/hashicorp/aws>
     for more information about providing credentials.
     
     Error: NoCredentialProviders: no valid providers in chain. Deprecated.
     	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
b
and you are definitely using that provider in resource options right? I am just confused how it works for the person in github and not you 😕
b
Copy code
return new aws.acm.Certificate(`cert-${context.region}-${context.environment}`, {
        certificateChain: '',
        certificateBody: '',
        privateKey: '',
        tags: context.tags,
    }, {
        provider: context.provider,
    });
It’s only one resource my current project so. Really hard to forgot on multiples 😛
b
and that context is definitely being set with the correct Provider (i.e with those values set)?
b
yes the 
context.prvider
is referring to the new Provider that you’re seeing with the 3 skip set to false
any news @broad-dog-22463?
b
@big-potato-91793 ok, we found the source of the codegen bug
I just tested things and we are looking better
so PRs will start to flow
sorry for the time here
b
hehe no problem. Happy to help.. I was able to find some times to contribute to pulumi I will be happy 🙂
b
so ..... @big-potato-91793 canyou do me a huge favour?
can you try pulumi-aws v3.32.1 and try and set those values (that I talked to you above above) in the named provider block
b
Yep can try this soon
b
thanks!
b
It seems to have work! The only things was that I needed to do the 
up
first on my laptop so the provider has the good params and after I was able to do the preivew.
b
👌
success 🙂
this is great news 🙂
b
Just feel weird that I need to upgrade the version of the aws provider on my laptop first when running 
up
. I was thinking that this will be automatic and not generating the error when upgrading the provider
19 Views
Open in Slack
PreviousNext
Powered by