https://pulumi.com logo
Title
c

cold-yacht-45876

04/13/2021, 10:29 AM
Hi, have anyone seem this error before? I can connect to AWS using the aws cli, but pulumi destroy fails (pulumi v2.24.1):
b

broad-dog-22463

04/13/2021, 10:37 AM
Hi @cold-yacht-45876 How have you configured your credentials for the pulumi-aws provider? Is it via Env Vars or config file?
c

cold-yacht-45876

04/13/2021, 10:38 AM
config/credentials file + $env:AWS_PROFILE="my-profile-name"
pulumi works if I specify AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN as environment variables explicitly
b

broad-dog-22463

04/13/2021, 10:40 AM
are you using SSO? or an actual profile?
c

cold-yacht-45876

04/13/2021, 10:40 AM
an actual profile
b

broad-dog-22463

04/13/2021, 10:41 AM
so the first thing we do is a check as follows
func preConfigureCallback(vars resource.PropertyMap, c shim.ResourceConfig) error {
	config := &awsbase.Config{
		AccessKey: stringValue(vars, "accessKey", []string{"AWS_ACCESS_KEY_ID"}),
		SecretKey: stringValue(vars, "secretKey", []string{"AWS_SECRET_ACCESS_KEY"}),
		Profile:   stringValue(vars, "profile", []string{"AWS_PROFILE"}),
		Token:     stringValue(vars, "token", []string{"AWS_SESSION_TOKEN"}),
		Region:    stringValue(vars, "region", []string{"AWS_REGION", "AWS_DEFAULT_REGION"}),
	}

	sharedCredentialsFile := stringValue(vars, "sharedCredentialsFile", []string{"AWS_SHARED_CREDENTIALS_FILE"})
	credsPath, err := homedir.Expand(sharedCredentialsFile)
	if err != nil {
		return err
	}
	config.CredsFilename = credsPath

	if _, err := awsbase.GetCredentials(config); err != nil {
		return errors.New("unable to discover AWS AccessKeyID and/or SecretAccessKey " +
			"- see <https://pulumi.io/install/aws.html> for details on configuration")
	}

	return nil
}
you are not getting that error message
so one is coming from the underlying TF code that we scaffolded the provider from... that said, that feels incorrect of course
can you tell me what version of pulumi-aws you are using?
c

cold-yacht-45876

04/13/2021, 10:43 AM
"dependencies": {
        "@pulumi/aws": "^3.22.1",
        "@pulumi/awsx": "^0.23.0",
        "@pulumi/pulumi": "^2.17.0",
        "@pulumi/random": "^3.0.1",
        "@pulumi/tls": "^3.0.0",
        "child_process": "^1.0.2"
    }
b

broad-dog-22463

04/13/2021, 10:44 AM
what's in your package-lock.json?
(for pulumi-aws I mean)
c

cold-yacht-45876

04/13/2021, 10:44 AM
"@pulumi/aws": {
            "resolved": "<https://registry.npmjs.org/@pulumi/aws/-/aws-3.22.1.tgz>",
                "@pulumi/pulumi": "^2.15.0",
        "@pulumi/awsx": {
            "resolved": "<https://registry.npmjs.org/@pulumi/awsx/-/awsx-0.23.0.tgz>",
                "@pulumi/docker": "^1.0.0 || ^2.0.0",
        "@pulumi/docker": {
            "resolved": "<https://registry.npmjs.org/@pulumi/docker/-/docker-2.5.0.tgz>",
                "@pulumi/pulumi": "^2.0.0",
        "@pulumi/pulumi": {
            "resolved": "<https://registry.npmjs.org/@pulumi/pulumi/-/pulumi-2.17.0.tgz>",
                "@pulumi/query": "^0.3.0",
        "@pulumi/query": {
            "resolved": "<https://registry.npmjs.org/@pulumi/query/-/query-0.3.0.tgz>",
        "@pulumi/random": {
            "resolved": "<https://registry.npmjs.org/@pulumi/random/-/random-3.0.1.tgz>",
                "@pulumi/pulumi": "^2.15.0"
        "@pulumi/tls": {
            "resolved": "<https://registry.npmjs.org/@pulumi/tls/-/tls-3.0.0.tgz>",
                "@pulumi/pulumi": "^2.15.0"
b

broad-dog-22463

04/13/2021, 10:49 AM
so we made some changes to the authentication func since then and they were rolled out in pulumi-aws v3.29.1 - is there a way you can try to upgrade to test this out for yourself?
b

brave-planet-10645

04/13/2021, 10:52 AM
What does your credentials file look like (I think it's in
C:\Users\username\.*aws*\*credentials
)?* So mine looks like:
[default]
aws_access_key_id = [secret]
aws_secret_access_key = [secret]
[piers]
aws_access_key_id = [secret]
aws_secret_access_key = [secret]
and if I do
export AWS_PROFILE=piers
then I can switch to my
piers
profile.
Rather than doing
$env:AWS_PROFILE
can you do
setx AWS_PROFILE {profilename}
c

cold-yacht-45876

04/13/2021, 10:54 AM
my credential file looks like this:
[my-account]
aws_access_key_id=...
aws_secret_access_key=...
aws_session_token=...
same result after setx
b

brave-planet-10645

04/13/2021, 10:56 AM
Do you have a stack config file:
Pulumi.{stackname}.yaml
?
Do you have any AWS settings in there?
c

cold-yacht-45876

04/13/2021, 10:57 AM
config: aws:region: eu-north-1
(from Pulumi.development.yaml, that is)
b

broad-dog-22463

04/13/2021, 11:03 AM
@cold-yacht-45876 any particular reason you have a session_token in your profile?
c

cold-yacht-45876

04/13/2021, 11:04 AM
it's required by some policy in our aws setup (I believe, not my expertise)
b

broad-dog-22463

04/13/2021, 11:05 AM
that feels like it's an SSO thing...
ah no
are you using MFA here?
c

cold-yacht-45876

04/13/2021, 11:06 AM
for personal login, we're using MFA and SSO, but not for command line access, though
b

broad-dog-22463

04/13/2021, 11:08 AM
the only difference here between your profile setup and @brave-planet-10645 is the use of the session_token, can you help me debug and see if we have an error here but commenting that out of your profile temporarily?
c

cold-yacht-45876

04/13/2021, 11:12 AM
I see the same behaviour without the session_token
b

brave-planet-10645

04/13/2021, 11:14 AM
what about on the aws cli without the session token?
What happens if you run
aws s3 ls
?
c

cold-yacht-45876

04/13/2021, 11:16 AM
I have to come back to you in a few minutes. In a meeting and need to focus a bit on that 🙂 sorry
b

brave-planet-10645

04/13/2021, 11:17 AM
ok
c

cold-yacht-45876

04/13/2021, 12:07 PM
I might have gotten it to work. Not sure what I did wrong and then right. Will get back to you if I see the same error again 🙂