https://pulumi.com logo
Title
m

many-yak-61188

07/14/2021, 5:10 PM
hello 👋 more of a pulumi/actions + github workflow question. I set up github self hosted runners on AWS, the EC2 instances have IAM role based permissions. However when I set up github workflows pulumi insists on configuration of
AWS_ACCESS_KEY_ID
&
AWS_SECRET_ACCESS_KEY
. On the machine I tried some aws cli commands and they work perfectly. QQ: Is there a way use pulumi/actions without configuring credentials, because the host that is the runner has role based permissions assigned to it?
b

billowy-army-68599

07/14/2021, 5:30 PM
you should be able to set a config option and it should just work
if you can't get it working, feel free to ping me and I'll jump on a call
m

many-yak-61188

07/14/2021, 5:44 PM
ty. you are much appreciated 🙏🏻. I'll try it out today shortly. might take you up tomorrow if required 🤞 I'll figure it out.
Sorry, didn't get time to get to this earlier. I made some progress, but I still cannot root cause why
pulumi preview
fails in a github workflow/runner environment where the runner is self hosted on ec2 instance. I'll recap my attempts and the steps I took to try to debug the issue.
I've two self hosted runners on github. the runners are ec2 instances with a instance profile / instance role assigned to them
when running
pulumi up
in my github workflow, it fails with the error below
error: 1 error occurred:
      	* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
      
      Please see <https://registry.terraform.io/providers/hashicorp/aws>
      for more information about providing credentials.
      
      Error: NoCredentialProviders: no valid providers in chain. Deprecated.
      	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
i followed the documentation to verify that instance meta data is configured correctly - using
curl
and
aws cli
. Posting output from aws cli below
aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************BUOX         iam-role
secret_key     ****************Ynfn         iam-role
    region                us-east-1             imds
next I decided to ~write~/steal a simple aws go sdk example to see if the sdk finds the credentials correctly
package main

import (
	"fmt"

	"<http://github.com/aws/aws-sdk-go/aws|github.com/aws/aws-sdk-go/aws>"
	"<http://github.com/aws/aws-sdk-go/aws/session|github.com/aws/aws-sdk-go/aws/session>"
	"<http://github.com/aws/aws-sdk-go/service/ec2|github.com/aws/aws-sdk-go/service/ec2>"
)

func main() {
	states := [] string {"running"}
	region := "us-east-1"

	sess := session.Must(session.NewSession(&aws.Config{
		Region: aws.String(region),
	}))

	ec2Svc := ec2.New(sess)
	params := &ec2.DescribeInstancesInput{
		Filters: []*ec2.Filter{
			{
				Name:   aws.String("instance-state-name"),
				Values: aws.StringSlice(states),
			},
		},
	}

	result, err := ec2Svc.DescribeInstances(params)
	if err != nil {
		fmt.Println("Error", err)
	} else {
		fmt.Printf("\n\n\nFetching instance details for region: %s \n ", region)
		if len(result.Reservations) == 0 {
			fmt.Printf("There is no instance for the region: %s\n", region)
		}
		for _, reservation := range result.Reservations {

			fmt.Println("printing instance details.....")
			for _, instance := range reservation.Instances {
				fmt.Println("instance id " + *instance.InstanceId)
				fmt.Println("current State " + *instance.State.Name)
			}
		}
		fmt.Printf("done for region %s **** \n", region)
	}
}
this succeeded. 🤷
please lmk any thoughts or if you can spend 5m with me
at your convenience obviously, sorry just realized I was doing this on a weekend. 🤦
b

billowy-army-68599

07/17/2021, 5:58 PM
Did you set the config option I mentioned? Please show your stack confit
Config*
m

many-yak-61188

07/17/2021, 6:21 PM
ah yep, i'm a complete idiot sorry did that now
pulumi config set aws:skipMetadataApiCheck false
if only i read things more carefully, extremely sorry about that.
all good now 💥 💥💥💥 appreciate the response on the weekend, enjoy the rest of your weekend
b

billowy-army-68599

07/17/2021, 6:46 PM
no worries 😄 you'll need to set that for every stack