https://pulumi.com logo
a

aloof-tailor-93191

09/20/2018, 9:05 PM
What is the best way to reach out and perform an AWS action in the midst of my Pulumi code?
my use case was:
create a KMS key, and then call out to KMS to encrypt a Pulumi secret config key and then take that value and set that as an environment variable on a lambda function
(my implementation language is go, in case that makes a difference)
I got this error when running `pulumi up`:
Copy code
NoCredentialProviders: no valid providers in chain.
which I think means that the credentials that Pulumi is using were not available to my code
m

microscopic-florist-22719

09/20/2018, 9:07 PM
That's odd.
Oh--yes, that is accurate, though
w.r.t. the credentials
That's interesting, though. How are your credentials configured?
a

aloof-tailor-93191

09/20/2018, 9:08 PM
is there a way to get access to the credentials under which Pulumi is running?
environment variables
m

microscopic-florist-22719

09/20/2018, 9:08 PM
And you're linking in the Azure SDK for Go?
a

aloof-tailor-93191

09/20/2018, 9:09 PM
the AWS sdk for go
m

microscopic-florist-22719

09/20/2018, 9:09 PM
yeah, my mistake
a

aloof-tailor-93191

09/20/2018, 9:09 PM
m

microscopic-florist-22719

09/20/2018, 9:09 PM
That's what the Pulumi AWS provider uses internally, so it's surprising that it's not picking up the same credentials
a

aloof-tailor-93191

09/20/2018, 9:10 PM
here's my (admittedly hacky) code:
Copy code
func encrypt(arn, value string) (string, error) {
	sess, err := session.NewSession(&aws.Config{
		Region: aws.String("us-east-1"),
	})
	if err != nil {
		return "", err
	}

	kmsSvc := awskms.New(sess)

	result, err := kmsSvc.Encrypt(&awskms.EncryptInput{
		KeyId:     aws.String(arn),
		Plaintext: []byte(value),
	})
	if err != nil {
		return "", err
	}

	return string(result.CiphertextBlob), nil
}
m

microscopic-florist-22719

09/20/2018, 9:10 PM
(and I don't think that those envvars are specific to the Pulumi AWS provider)
Yeah, that's exactly what I would write
a

aloof-tailor-93191

09/20/2018, 9:11 PM
I was thinking about manually setting the creds as pulumi config values
m

microscopic-florist-22719

09/20/2018, 9:12 PM
That should certainly work.
a

aloof-tailor-93191

09/20/2018, 9:12 PM
but that seemed like an incorrect way to do it
heh
m

microscopic-florist-22719

09/20/2018, 9:14 PM
Can you try setting
CredentialsChainVerboseErrors
to
aws.Bool(true)
in the
aws.Config
value you're building?
Might give us a bit more context
a

aloof-tailor-93191

09/20/2018, 9:15 PM
yes, one second
Copy code
Diagnostics:
  pulumi:pulumi:Stack: billing-billing-dev
    info: error: program failed: 1 error occurred:
        * marshaling properties: awaiting input property environment: NoCredentialProviders: no valid providers in chain
    caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
    SharedCredsLoad: failed to load profile, .
    EC2RoleRequestError: no EC2 instance role found
    caused by: RequestError: send request failed
    caused by: Get <http://169.254.169.254/latest/meta-data/iam/security-credentials/>: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

  pulumi:pulumi:Stack: billing-billing-dev
    error: an unhandled error occurred: program exited with non-zero exit code: 1
yeah, looks like it tried several ways of finding credentials
m

microscopic-florist-22719

09/20/2018, 9:26 PM
Yeah, and it does look like it couldn't find anything in the environment.
Just to be absolutely sure, you're setting
AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
, right?
a

aloof-tailor-93191

09/20/2018, 9:26 PM
I think what may be happening is that pulumi is not executing the program and passing the environment along
yeah
those are the ones
m

microscopic-florist-22719

09/20/2018, 9:27 PM
pulumi is not executing the program and passing the environment along
This would be very surprising, but it's certainly possible
a

aloof-tailor-93191

09/20/2018, 9:27 PM
I think I might be slightly unique in that I don't usually have a
~/.aws
directory. I have a way of managing my keys as just env vars and so I rely on that
lemme see if I can pull out what variables it is passing
m

microscopic-florist-22719

09/20/2018, 9:28 PM
So the resource plugins and the Go binary should be executed with the same envvars
But it should be easy enough to dump the set of envvars your program is getting using
os.Environ
a

aloof-tailor-93191

09/20/2018, 9:32 PM
[PULUMI_PROJECT=billing PULUMI_STACK=billing-dev PULUMI_CONFIG={"aws:region":"us-east-1","slack:webhook":"[secret]"} PULUMI_DRY_RUN=true PULUMI_PARALLEL=10 PULUMI_MONITOR=127.0.0.1:43596 PULUMI_ENGINE=127.0.0.1:34309]
is what the language plugin is sending
m

microscopic-florist-22719

09/20/2018, 9:41 PM
That... is surprising
a

aloof-tailor-93191

09/20/2018, 9:42 PM
I verified that the aws vars aren't getting passed
doing a quick mod to see if passing them through will do the trick
m

microscopic-florist-22719

09/20/2018, 9:42 PM
Hah, this is a bug in the Go language runner specifically
It's overwriting the entire env rather than appending to it 🙄
a

aloof-tailor-93191

09/20/2018, 9:43 PM
yes
I've run into this issue before in other situations
we could just take os.Environ() and append the vars we need to append
that would work
m

microscopic-florist-22719

09/20/2018, 9:44 PM
yeah
something like
Copy code
diff --git a/sdk/go/pulumi-language-go/main.go b/sdk/go/pulumi-language-go/main.go
index 505d130..50ebc02 100644
--- a/sdk/go/pulumi-language-go/main.go
+++ b/sdk/go/pulumi-language-go/main.go
@@ -179,7 +179,7 @@ func (host *goLanguageHost) constructEnv(req *pulumirpc.RunRequest) ([]string, e
                return nil, err
        }

-       var env []string
+       env = append(nil, os.Environ()...)
        maybeAppendEnv := func(k, v string) {
                if v != "" {
                        env = append(env, fmt.Sprintf("%s=%s", k, v))
(but with
env :=
rather than
env =
)
a

aloof-tailor-93191

09/20/2018, 9:52 PM
yup
that works
I'll submit a PR
there are security implications to hoisting the entire env through, but that can be discussed there
m

microscopic-florist-22719

09/20/2018, 11:26 PM
Thanks!
a

aloof-tailor-93191

09/20/2018, 11:27 PM
you're welcome, thanks for working through it with me.