Hi, I’m using a Pulumi program to create some resources on a bastion account and several sub-accounts, but I’m stuck with an error when I try to use a non-default

aws.Provider

to assume role into a sub-account role and create a resource in that sub-account:

# ~/.aws/credentials

[bastion-profile]
aws_access_key_id = redact
aws_secret_access_key = redact


# Pulumi.<stack>.yaml
…
config:
 aws:allowedAccountIds:
 - <bastionAccountId>
 aws:profile: bastion-profile
 aws:region: eu-west-2
 …


# index.ts

// Assume role into IAM Role "role-manager" in sub-account.
const subAccountProvider = new aws.Provider("…", {
   region: "eu-west-2",
   allowedAccountIds: [subAccountId],
   assumeRole: {
      sessionName "role-manager-session",
      roleArn: `arn:aws:iam::${subAccountId}:role/role-manager`,
      externalId: "…",
      durationSeconds: 60 * 5,
   },
});

// Create a new resource in the sub-account.
const newRoleInSubAccount = new aws.iam.Role("new-role", {
   …
}, {
   provider: subAccountProvider,
});

On

pulumi up

, I get the following error:

error: 1 error occurred:
    * error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<redact>:role/role-manager) cannot be assumed.
   
  There are a number of possible causes of this - the most common are:
   * The credentials used in order to assume the role are invalid
   * The credentials do not have appropriate permission to assume the role
   * The role ARN is not valid
   
  Error: NoCredentialProviders: no valid providers in chain. Deprecated.
    For verbose messaging see aws.Config.CredentialsChainVerboseErrors

I have verified: •

aws.getCallerIdentity()

returns the expected IAM User from the “bastion-profile” credentials in

~/.aws/credentials

. That User has permission for the

sts:AssumeRole

action on the Role ARN in the error message. • The IAM Role ARN in the error message exists, and its trust relationship allows the

sts:AssumeRole

action for any user in the bastion account. • The default AWS provider works fine to create/destroy resources in the bastion account, so the credentials are valid. What am I missing? Does Pulumi treat

~/.aws/credentials

differently for explicit providers vs the default provider?

Pulumi uses the AWS GO SDK for all its calls, so anything you're using with

~/.aws/credentials

should work. Does assuming the rule manually work?

Aha! I tried it manually with the AWS CLI, and it gave me this error:

Parameter validation failed:
Invalid value for parameter DurationSeconds, value: 300, valid min value: 900

Changing the duration to 900 in the Pulumi program fixed the issue 🙂

it's a little difficult for us to capture them, but we're working on some improvements here, sorry for the lack of info

No problem, thanks for your speedy response, very helpful 🙏