https://pulumi.com logo
Join Slack
Powered by
Hi, have anyone seem this error before? I can conn...
# aws
c
Hi, have anyone seem this error before? I can connect to AWS using the aws cli, but pulumi destroy fails (pulumi v2.24.1):
b
Hi @cold-yacht-45876 How have you configured your credentials for the pulumi-aws provider? Is it via Env Vars or config file?
c
config/credentials file + $env:AWS_PROFILE="my-profile-name"
pulumi works if I specify AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN as environment variables explicitly
b
are you using SSO? or an actual profile?
c
an actual profile
b
so the first thing we do is a check as follows
Copy code
func preConfigureCallback(vars resource.PropertyMap, c shim.ResourceConfig) error {
	config := &awsbase.Config{
		AccessKey: stringValue(vars, "accessKey", []string{"AWS_ACCESS_KEY_ID"}),
		SecretKey: stringValue(vars, "secretKey", []string{"AWS_SECRET_ACCESS_KEY"}),
		Profile:   stringValue(vars, "profile", []string{"AWS_PROFILE"}),
		Token:     stringValue(vars, "token", []string{"AWS_SESSION_TOKEN"}),
		Region:    stringValue(vars, "region", []string{"AWS_REGION", "AWS_DEFAULT_REGION"}),
	}

	sharedCredentialsFile := stringValue(vars, "sharedCredentialsFile", []string{"AWS_SHARED_CREDENTIALS_FILE"})
	credsPath, err := homedir.Expand(sharedCredentialsFile)
	if err != nil {
		return err
	}
	config.CredsFilename = credsPath

	if _, err := awsbase.GetCredentials(config); err != nil {
		return errors.New("unable to discover AWS AccessKeyID and/or SecretAccessKey " +
			"- see <https://pulumi.io/install/aws.html> for details on configuration")
	}

	return nil
}
you are not getting that error message
so one is coming from the underlying TF code that we scaffolded the provider from... that said, that feels incorrect of course
can you tell me what version of pulumi-aws you are using?
c
Copy code
"dependencies": {
        "@pulumi/aws": "^3.22.1",
        "@pulumi/awsx": "^0.23.0",
        "@pulumi/pulumi": "^2.17.0",
        "@pulumi/random": "^3.0.1",
        "@pulumi/tls": "^3.0.0",
        "child_process": "^1.0.2"
    }
b
what's in your package-lock.json?
(for pulumi-aws I mean)
c
Copy code
"@pulumi/aws": {
            "resolved": "<https://registry.npmjs.org/@pulumi/aws/-/aws-3.22.1.tgz>",
                "@pulumi/pulumi": "^2.15.0",
        "@pulumi/awsx": {
            "resolved": "<https://registry.npmjs.org/@pulumi/awsx/-/awsx-0.23.0.tgz>",
                "@pulumi/docker": "^1.0.0 || ^2.0.0",
        "@pulumi/docker": {
            "resolved": "<https://registry.npmjs.org/@pulumi/docker/-/docker-2.5.0.tgz>",
                "@pulumi/pulumi": "^2.0.0",
        "@pulumi/pulumi": {
            "resolved": "<https://registry.npmjs.org/@pulumi/pulumi/-/pulumi-2.17.0.tgz>",
                "@pulumi/query": "^0.3.0",
        "@pulumi/query": {
            "resolved": "<https://registry.npmjs.org/@pulumi/query/-/query-0.3.0.tgz>",
        "@pulumi/random": {
            "resolved": "<https://registry.npmjs.org/@pulumi/random/-/random-3.0.1.tgz>",
                "@pulumi/pulumi": "^2.15.0"
        "@pulumi/tls": {
            "resolved": "<https://registry.npmjs.org/@pulumi/tls/-/tls-3.0.0.tgz>",
                "@pulumi/pulumi": "^2.15.0"
b
so we made some changes to the authentication func since then and they were rolled out in pulumi-aws v3.29.1 - is there a way you can try to upgrade to test this out for yourself?
b
What does your credentials file look like (I think it's in 
C:\Users\username\.*aws*\*credentials
)?* So mine looks like:
Copy code
[default]
aws_access_key_id = [secret]
aws_secret_access_key = [secret]
[piers]
aws_access_key_id = [secret]
aws_secret_access_key = [secret]
and if I do 
export AWS_PROFILE=piers
then I can switch to my 
piers
profile.
Rather than doing 
$env:AWS_PROFILE
can you do 
setx AWS_PROFILE {profilename}
c
my credential file looks like this:
Copy code
[my-account]
aws_access_key_id=...
aws_secret_access_key=...
aws_session_token=...
same result after setx
b
Do you have a stack config file: 
Pulumi.{stackname}.yaml
?
Do you have any AWS settings in there?
c
config: awsregion eu-north-1
(from Pulumi.development.yaml, that is)
b
@cold-yacht-45876 any particular reason you have a session_token in your profile?
c
it's required by some policy in our aws setup (I believe, not my expertise)
b
that feels like it's an SSO thing...
ah no
are you using MFA here?
c
for personal login, we're using MFA and SSO, but not for command line access, though
b
the only difference here between your profile setup and @brave-planet-10645 is the use of the session_token, can you help me debug and see if we have an error here but commenting that out of your profile temporarily?
c
I see the same behaviour without the session_token
b
what about on the aws cli without the session token?
What happens if you run 
aws s3 ls
?
c
I have to come back to you in a few minutes. In a meeting and need to focus a bit on that 🙂 sorry
b
ok
c
I might have gotten it to work. Not sure what I did wrong and then right. Will get back to you if I see the same error again 🙂
Open in Slack
PreviousNext
Powered by