https://pulumi.com logo
Title
g

gray-river-5585

04/27/2021, 8:50 PM
I am trying to use a s3 bucket as a backend for storing state. When I use
local
as a backend, I can successfully provision AWS resources, but when I try to setup a s3 backend, I get the below error. I can read/write to the bucket via AWS CLI. I have also tried using a fully public bucket (for debugging only) and got the same error. Any advice would be greatly appreciated
error: could not create stack: An IO error occurred while writing the new snapshot file: blob (key ".pulumi/stacks/dev.json") (code=Unknown): AccessDenied: Access Denied
        status code: 403, request id: XXXXXXXXXXXXX, host id: XXXXXXXXXXXXXXXXXXXXXX
b

billowy-army-68599

04/27/2021, 8:59 PM
do you have aws credentials configured for that bucket?
g

gray-river-5585

04/27/2021, 9:04 PM
I think so, I can use the AWS CLI to list, put, get
b

billowy-army-68599

04/27/2021, 9:11 PM
can you create that file
.pulumi/stacks/dev.json
?
g

gray-river-5585

04/27/2021, 9:14 PM
Yes, I can create that object via
aws s3api put-object
b

billowy-army-68599

04/27/2021, 9:17 PM
interesting, Pulumi just uses the AWS SDK so I can't understand why that wouldn't work
g

gray-river-5585

04/27/2021, 9:18 PM
I have tried cranking the verbose level, but I don't get any additional output
Looks like level 7 may have something extra to say https://github.com/pulumi/pulumi/blob/master/pkg/backend/filestate/state.go#L209, I will try that one specifically
hmm, cannot seem to get that logging line to fire
b

billowy-army-68599

04/27/2021, 9:54 PM
--logtostderr --verbose
should do it
g

gray-river-5585

04/27/2021, 9:56 PM
Thanks, that got the verbose logs out!
Unfortunately, no additional information in them
b

billowy-army-68599

04/27/2021, 10:14 PM
what does
aws sts get-caller-identity
return? do you have any env vars set that might be conflicting?
g

gray-river-5585

04/27/2021, 10:14 PM
I get a valid response with my token in it
I am wondering if I have misconfigured the
bucket-path
b

billowy-army-68599

04/27/2021, 10:15 PM
how have you set it?
g

gray-river-5585

04/27/2021, 10:16 PM
pulumi login <s3://s3>.[aws-region].<http://amazonaws.com/[bucket-name]|amazonaws.com/[bucket-name]>
b

billowy-army-68599

04/27/2021, 10:17 PM
did you try just
pulumi login <s3://bucket-name>
?
g

gray-river-5585

04/27/2021, 10:17 PM
Just tried that and got a new error!
@billowy-army-68599 That was it! Thank you for helping me step through that
b

billowy-army-68599

04/27/2021, 10:28 PM
No worries, Would you mind opening an issue for this in github.com/pulumi/pulumi? There’s no reason I can think of that the fully qualified bucket name shouldn’t work
g

gray-river-5585

04/27/2021, 11:08 PM
I would be happy to, I opened a docs PR for a minor wording change that would have helped me