This message was deleted.
# awss
sparse-intern-71089
04/13/2021, 10:29 AMThis message was deleted.
b
broad-dog-22463
04/13/2021, 10:37 AMHi @cold-yacht-45876
How have you configured your credentials for the pulumi-aws provider? Is it via Env Vars or config file?
c
cold-yacht-45876
04/13/2021, 10:38 AMconfig/credentials file + $env:AWS_PROFILE="my-profile-name"
cold-yacht-45876
04/13/2021, 10:38 AMpulumi works if I specify AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN as environment variables explicitly
b
broad-dog-22463
04/13/2021, 10:40 AMare you using SSO? or an actual profile?
c
cold-yacht-45876
04/13/2021, 10:40 AMan actual profile
b
broad-dog-22463
04/13/2021, 10:41 AMso the first thing we do is a check as follows
broad-dog-22463
04/13/2021, 10:41 AM Copy code
func preConfigureCallback(vars resource.PropertyMap, c shim.ResourceConfig) error {
config := &awsbase.Config{
AccessKey: stringValue(vars, "accessKey", []string{"AWS_ACCESS_KEY_ID"}),
SecretKey: stringValue(vars, "secretKey", []string{"AWS_SECRET_ACCESS_KEY"}),
Profile: stringValue(vars, "profile", []string{"AWS_PROFILE"}),
Token: stringValue(vars, "token", []string{"AWS_SESSION_TOKEN"}),
Region: stringValue(vars, "region", []string{"AWS_REGION", "AWS_DEFAULT_REGION"}),
}
sharedCredentialsFile := stringValue(vars, "sharedCredentialsFile", []string{"AWS_SHARED_CREDENTIALS_FILE"})
credsPath, err := homedir.Expand(sharedCredentialsFile)
if err != nil {
return err
}
config.CredsFilename = credsPath
if _, err := awsbase.GetCredentials(config); err != nil {
return errors.New("unable to discover AWS AccessKeyID and/or SecretAccessKey " +
"- see <https://pulumi.io/install/aws.html> for details on configuration")
}
return nil
}broad-dog-22463
04/13/2021, 10:42 AMyou are not getting that error message
broad-dog-22463
04/13/2021, 10:42 AMso one is coming from the underlying TF code that we scaffolded the provider from... that said, that feels incorrect of course
broad-dog-22463
04/13/2021, 10:42 AMcan you tell me what version of pulumi-aws you are using?
c
cold-yacht-45876
04/13/2021, 10:43 AM Copy code
"dependencies": {
"@pulumi/aws": "^3.22.1",
"@pulumi/awsx": "^0.23.0",
"@pulumi/pulumi": "^2.17.0",
"@pulumi/random": "^3.0.1",
"@pulumi/tls": "^3.0.0",
"child_process": "^1.0.2"
}b
broad-dog-22463
04/13/2021, 10:44 AMwhat's in your package-lock.json?
broad-dog-22463
04/13/2021, 10:44 AM(for pulumi-aws I mean)
c
cold-yacht-45876
04/13/2021, 10:44 AM Copy code
"@pulumi/aws": {
"resolved": "<https://registry.npmjs.org/@pulumi/aws/-/aws-3.22.1.tgz>",
"@pulumi/pulumi": "^2.15.0",
"@pulumi/awsx": {
"resolved": "<https://registry.npmjs.org/@pulumi/awsx/-/awsx-0.23.0.tgz>",
"@pulumi/docker": "^1.0.0 || ^2.0.0",
"@pulumi/docker": {
"resolved": "<https://registry.npmjs.org/@pulumi/docker/-/docker-2.5.0.tgz>",
"@pulumi/pulumi": "^2.0.0",
"@pulumi/pulumi": {
"resolved": "<https://registry.npmjs.org/@pulumi/pulumi/-/pulumi-2.17.0.tgz>",
"@pulumi/query": "^0.3.0",
"@pulumi/query": {
"resolved": "<https://registry.npmjs.org/@pulumi/query/-/query-0.3.0.tgz>",
"@pulumi/random": {
"resolved": "<https://registry.npmjs.org/@pulumi/random/-/random-3.0.1.tgz>",
"@pulumi/pulumi": "^2.15.0"
"@pulumi/tls": {
"resolved": "<https://registry.npmjs.org/@pulumi/tls/-/tls-3.0.0.tgz>",
"@pulumi/pulumi": "^2.15.0"b
broad-dog-22463
04/13/2021, 10:49 AMso we made some changes to the authentication func since then and they were rolled out in pulumi-aws v3.29.1 - is there a way you can try to upgrade to test this out for yourself?
b
brave-planet-10645
04/13/2021, 10:52 AMWhat does your credentials file look like (I think it's in
C:\Users\username\.*aws*\*credentials Copy code
[default]
aws_access_key_id = [secret]
aws_secret_access_key = [secret]
[piers]
aws_access_key_id = [secret]
aws_secret_access_key = [secret]export AWS_PROFILE=pierspiersbrave-planet-10645
04/13/2021, 10:53 AMRather than doing
$env:AWS_PROFILEsetx AWS_PROFILE {profilename}c
cold-yacht-45876
04/13/2021, 10:54 AMmy credential file looks like this:
Copy code
[my-account]
aws_access_key_id=...
aws_secret_access_key=...
aws_session_token=...cold-yacht-45876
04/13/2021, 10:56 AMsame result after setx
b
brave-planet-10645
04/13/2021, 10:56 AMDo you have a stack config file:
Pulumi.{stackname}.yamlbrave-planet-10645
04/13/2021, 10:56 AMDo you have any AWS settings in there?
c
cold-yacht-45876
04/13/2021, 10:57 AMconfig:
awsregion eu-north-1
cold-yacht-45876
04/13/2021, 10:58 AM(from Pulumi.development.yaml, that is)
b
broad-dog-22463
04/13/2021, 11:03 AM@cold-yacht-45876 any particular reason you have a session_token in your profile?
c
cold-yacht-45876
04/13/2021, 11:04 AMit's required by some policy in our aws setup (I believe, not my expertise)
b
broad-dog-22463
04/13/2021, 11:05 AMthat feels like it's an SSO thing...
broad-dog-22463
04/13/2021, 11:05 AMah no
broad-dog-22463
04/13/2021, 11:05 AMare you using MFA here?
c
cold-yacht-45876
04/13/2021, 11:06 AMfor personal login, we're using MFA and SSO, but not for command line access, though
b
broad-dog-22463
04/13/2021, 11:08 AMthe only difference here between your profile setup and @brave-planet-10645 is the use of the session_token, can you help me debug and see if we have an error here but commenting that out of your profile temporarily?
c
cold-yacht-45876
04/13/2021, 11:12 AMI see the same behaviour without the session_token
b
brave-planet-10645
04/13/2021, 11:14 AMwhat about on the aws cli without the session token?
brave-planet-10645
04/13/2021, 11:15 AMWhat happens if you run
aws s3 lsc
cold-yacht-45876
04/13/2021, 11:16 AMI have to come back to you in a few minutes. In a meeting and need to focus a bit on that 🙂 sorry
b
brave-planet-10645
04/13/2021, 11:17 AMok
c
cold-yacht-45876
04/13/2021, 12:07 PMI might have gotten it to work. Not sure what I did wrong and then right. Will get back to you if I see the same error again 🙂