I am trying to set up Pulumi to work with AWS role switching. We utilize several AWS accounts tied back to a single AWS identity account and we don't have users defined in any other account but our identity account. I've got my aws cli configured and I can specify a profile and it connects to the correct role_arn and account. However when trying to leverage this functionality in Pulumi it errors out with either

error configuring Terraform AWS Provider: Error creating AWS session: SharedConfigAssumeRoleError: failed to load assume role for arn:aws:iam::ACCTNUM:role/ROLE, source profile dev_pulumi has no shared credentials

or

error configuring Terraform AWS Provider: Error creating AWS session: CredentialRequiresARNError: credential type source_profile requires role_arn, profile dev-pulumi

My aws cli config

.aws/credentials
[default]
aws_access_key_id = redacted
aws_secret_access_key = redacted

[prod-main]
aws_access_key_id = redacted
aws_secret_access_key = redacted

[ecr-dev]
aws_access_key_id = redacted
aws_secret_access_key = redacted

[dev-pulumi]
aws_access_key_id = redacted
aws_secret_access_key = redacted

[default]
region = us-east-1

.aws/config
[profile prod]
source_profile = prod-main
role_arn = arn:aws:iam::redacted:role/redacted-TEMP
mfa_serial = arn:aws:iam::redacted:mfa/tony

[profile dev]
source_profile = prod-main
role_arn = arn:aws:iam::redacted:role/redacted-TEMP
mfa_serial = arn:aws:iam::redacted:mfa/tony

[profile eks-dev]
role_arn = arn:aws:iam::redacted:role/redacted-eksRole-role-redacted
source_profile = prod-main
mfa_serial = arn:aws:iam::redacted:mfa/tony

[profile ecr-dev]
source_profile = ecr-dev

[profile dev-pulumi]
source_profile = dev_pulumi
role_arn = arn:aws:iam::redacted:role/redacted-TEMP

I am currently just getting started with Pulumi so I am just following the basic steps outlined here: https://www.pulumi.com/docs/get-started/aws/begin/.

hey Tony! I could be wrong, but i think there's a typo here?

[dev-pulumi]
aws_access_key_id = redacted
aws_secret_access_key = redacted

[profile dev-pulumi]
source_profile = dev_pulumi
role_arn = arn:aws:iam::redacted:role/redacted-TEMP

well that's horribly embarassing

glad it was simple!

well maybe not... just realized in testing I created a user out of scope in the dev account to test that it worked and it worked with the user/role being in the same account. When I switch the awsprofile in the Pulumi.dev.yaml to just

dev

file it fails with

error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration

i'm not totally sure of the answer to that, it seems you're using profiles in a fairly unique way and I'm unfortunately not familiar with it - ultimately Pulumi will use the profile if it's set up correctly, it uses the AWS GO SDK

@purple-orange-91853 Check the Pulumi section here, maybe it will help: https://gist.github.com/Sodki/95b04ee9f4f44ed81de23b0cff3a4685

for context I am using the standard method by AWS to authenticate against different accounts. The roles and policies are configured correctly as I can switch via the AWS CLI and have access to the correct resources when using

--profile

in my cli strings. See

Example scenario: Allow an instance profile role to switch to a role in another account

in this AWS doc for reference. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html

@purple-orange-91853 it might be easier to jump on a call to get this configured, can you grab some time from here for next week? https://calendly.com/d/mxtb-bs7b/30-minute-meeting