wooden-student-58350
04/21/2021, 2:37 PMProject: infra // backend on aws-bastion
|- Stack: development // deploys resources to aws-dev
|- Stack: staging // deploys resources to aws-staging
|- Stack: production // deploys resources to aws-prod
# Pulumi.yaml
name: infra
runtime: nodejs
backend:
url: <s3://my-pulumi-backend>
# Pulumi.development.yaml
secretsprovider: <awskms://alias/development/pulumi-secrets-key?region=eu-west-2>
encryptedkey: …
config:
aws:accessKey: <dev user access key ID>
aws:allowedAccountIds:
- <dev AWS account ID>
aws:region: eu-west-2
# .env
AWS_SECRET_ACCESS_KEY=<development user secret access key>
The problem is that Pulumi only looks for one set of AWS credentials for everything. So if I want my stack to use my dev access key in the program to build resources in my dev AWS account, Pulumi can’t access the backend S3 bucket on the bastion AWS account (and vice versa).
I think I could create a custom AWS provider in code based on the stack name, but then wouldn’t I have to manually specify that custom provider on every individual resource in the program? Is there a way to change the default provider on a per-stack basis while still allowing the project to use an S3 backend on a different account?billowy-army-68599
04/21/2021, 2:39 PM.env
file, and also set them in your stack config. You can specify secret values for the secret access key and encrypt them using the --secret
flagwooden-student-58350
04/21/2021, 3:06 PMbillowy-army-68599
04/21/2021, 3:13 PMwooden-student-58350
04/21/2021, 3:53 PM.env
altogether, and I made this work by specifying the bastion creds (for S3 backend) in ~/.aws/credentials
. If I unset those and instead provide the creds in .env
in the project directory, pulumi up
fails with:
error: failed to load checkpoint: blob (key ".pulumi/stacks/development.json") (code=Unknown): NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
I assumed Pulumi would automatically pull in the env vars from .env
, but it seems I’m missing a step to get Pulumi to see them.
In the end, I removed the .env
file altogether, and put the dev account aws:accessKey
and aws:secretKey
in the stack config, and Pulumi does the right thing now. I’m happy for Pulumi to use the bastion creds in the aws credentials file to access the backend & secrets provider.victorious-art-92103
04/21/2021, 6:13 PMbillowy-army-68599
04/21/2021, 6:42 PMvictorious-art-92103
04/21/2021, 6:53 PMSomeResource('name', args, { provider: ... })
over and over again is no fun 🙂billowy-army-68599
04/21/2021, 6:55 PMvictorious-art-92103
04/21/2021, 7:10 PMbillowy-army-68599
04/21/2021, 7:42 PM