Channels
#general
Title
a
aloof-tailor-93191
09/20/2018, 9:05 PMWhat is the best way to reach out and perform an AWS action in the midst of my Pulumi code?
my use case was:
create a KMS key, and then call out to KMS to encrypt a Pulumi secret config key and then take that value and set that as an environment variable on a lambda function
(my implementation language is go, in case that makes a difference)
I got this error when running `pulumi up`:
Copy code
NoCredentialProviders: no valid providers in chain.which I think means that the credentials that Pulumi is using were not available to my code
m
microscopic-florist-22719
09/20/2018, 9:07 PM
That's odd.
Oh--yes, that is accurate, though
w.r.t. the credentials
That's interesting, though. How are your credentials configured?
a
aloof-tailor-93191
09/20/2018, 9:08 PMis there a way to get access to the credentials under which Pulumi is running?
environment variables
m
microscopic-florist-22719
09/20/2018, 9:08 PM
And you're linking in the Azure SDK for Go?
a
aloof-tailor-93191
09/20/2018, 9:09 PMthe AWS sdk for go
m
microscopic-florist-22719
09/20/2018, 9:09 PM
yeah, my mistake
a
aloof-tailor-93191
09/20/2018, 9:09 PMyes, this one: https://github.com/aws/aws-sdk-go
m
microscopic-florist-22719
09/20/2018, 9:09 PM
That's what the Pulumi AWS provider uses internally, so it's surprising that it's not picking up the same credentials
a
aloof-tailor-93191
09/20/2018, 9:10 PMhere's my (admittedly hacky) code:
Copy code
func encrypt(arn, value string) (string, error) {
sess, err := session.NewSession(&aws.Config{
Region: aws.String("us-east-1"),
})
if err != nil {
return "", err
}
kmsSvc := awskms.New(sess)
result, err := kmsSvc.Encrypt(&awskms.EncryptInput{
KeyId: aws.String(arn),
Plaintext: []byte(value),
})
if err != nil {
return "", err
}
return string(result.CiphertextBlob), nil
}m
microscopic-florist-22719
09/20/2018, 9:10 PM
(and I don't think that those envvars are specific to the Pulumi AWS provider)
Yeah, that's exactly what I would write
a
aloof-tailor-93191
09/20/2018, 9:11 PMI was thinking about manually setting the creds as pulumi config values
m
microscopic-florist-22719
09/20/2018, 9:12 PM
That should certainly work.
a
aloof-tailor-93191
09/20/2018, 9:12 PMbut that seemed like an incorrect way to do it
heh
m
microscopic-florist-22719
09/20/2018, 9:14 PM
Can you try setting
CredentialsChainVerboseErrorsaws.Bool(true)aws.ConfigMight give us a bit more context
a
aloof-tailor-93191
09/20/2018, 9:15 PMyes, one second
Copy code
Diagnostics:
pulumi:pulumi:Stack: billing-billing-dev
info: error: program failed: 1 error occurred:
* marshaling properties: awaiting input property environment: NoCredentialProviders: no valid providers in chain
caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
SharedCredsLoad: failed to load profile, .
EC2RoleRequestError: no EC2 instance role found
caused by: RequestError: send request failed
caused by: Get <http://169.254.169.254/latest/meta-data/iam/security-credentials/>: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
pulumi:pulumi:Stack: billing-billing-dev
error: an unhandled error occurred: program exited with non-zero exit code: 1yeah, looks like it tried several ways of finding credentials
m
microscopic-florist-22719
09/20/2018, 9:26 PM
Yeah, and it does look like it couldn't find anything in the environment.
Just to be absolutely sure, you're setting
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYa
aloof-tailor-93191
09/20/2018, 9:26 PMI think what may be happening is that pulumi is not executing the program and passing the environment along
yeah
those are the ones
m
microscopic-florist-22719
09/20/2018, 9:27 PM
pulumi is not executing the program and passing the environment alongThis would be very surprising, but it's certainly possible
a
aloof-tailor-93191
09/20/2018, 9:27 PMI think I might be slightly unique in that I don't usually have a
~/.awslemme see if I can pull out what variables it is passing
m
microscopic-florist-22719
09/20/2018, 9:28 PM
So the resource plugins and the Go binary should be executed with the same envvars
But it should be easy enough to dump the set of envvars your program is getting using
os.Environa
aloof-tailor-93191
09/20/2018, 9:32 PM[PULUMI_PROJECT=billing PULUMI_STACK=billing-dev PULUMI_CONFIG={"aws:region":"us-east-1","slack:webhook":"[secret]"} PULUMI_DRY_RUN=true PULUMI_PARALLEL=10 PULUMI_MONITOR=127.0.0.1:43596 PULUMI_ENGINE=127.0.0.1:34309]is what the language plugin is sending
m
microscopic-florist-22719
09/20/2018, 9:41 PM
That... is surprising
a
aloof-tailor-93191
09/20/2018, 9:42 PMI verified that the aws vars aren't getting passed
doing a quick mod to see if passing them through will do the trick
m
microscopic-florist-22719
09/20/2018, 9:42 PM
Hah, this is a bug in the Go language runner specifically
It's overwriting the entire env rather than appending to it 🙄
a
aloof-tailor-93191
09/20/2018, 9:43 PMyes
I've run into this issue before in other situations
we could just take os.Environ() and append the vars we need to append
that would work
m
microscopic-florist-22719
09/20/2018, 9:44 PM
yeah
something like
Copy code
diff --git a/sdk/go/pulumi-language-go/main.go b/sdk/go/pulumi-language-go/main.go
index 505d130..50ebc02 100644
--- a/sdk/go/pulumi-language-go/main.go
+++ b/sdk/go/pulumi-language-go/main.go
@@ -179,7 +179,7 @@ func (host *goLanguageHost) constructEnv(req *pulumirpc.RunRequest) ([]string, e
return nil, err
}
- var env []string
+ env = append(nil, os.Environ()...)
maybeAppendEnv := func(k, v string) {
if v != "" {
env = append(env, fmt.Sprintf("%s=%s", k, v))(but with
env :=env =a
aloof-tailor-93191
09/20/2018, 9:52 PMyup
that works
I'll submit a PR
there are security implications to hoisting the entire env through, but that can be discussed there
m
microscopic-florist-22719
09/20/2018, 11:26 PM
Thanks!
a
aloof-tailor-93191
09/20/2018, 11:27 PMyou're welcome, thanks for working through it with me.