https://pulumi.com logo
Powered by
d

dazzling-scientist-80826

05/29/2019, 6:49 PM
seems like 
pulumi logs
returns no logs for functions that were created with an aws provider that does assume-role - is this a known issue? is there a workaround?
Verbose logging includes errors of the form 
The specified log group does not exist
which makes sense if the aws calls are not doing the proper assume-role operation based on the provider
looks like the code has a getAWSSession function that doesn’t properly respect the provider’s credentials - and a comment referencing https://github.com/pulumi/pulumi/issues/608
w

white-balloon-205

05/29/2019, 6:57 PM
Are you using first class providers, or just default provider with a customer profile?
d

dazzling-scientist-80826

05/29/2019, 6:59 PM
first-class provider, but only because aws:profile config doesn’t seem to work (digging up the issue on that)
if that were fixed, i’d have have much lesser need for first-class providers (basically just one DNS record, instead of the complement: every resource except the dns record)
but even still, i don’t think this logs impl supports assume role (with non-first-class providers), but i could be wrong
w

white-balloon-205

05/29/2019, 7:02 PM
No - it doesn’t - though I recall having a fix for that locally a few weeks ago.
d

dazzling-scientist-80826

05/29/2019, 7:04 PM
suggestions for how i should proceed in the short term? my least bad plan right now is to hack the go binary
for logs, i mean - i used a first-class provider to work around the 
aws:profile
config issue
w

white-balloon-205

05/29/2019, 7:07 PM
You mean to get logs working with first class providers? Unfortunately I don’t think there is going to be a workaround there other than to make the fix in 
pulumi
. I expect it’s not a particularly difficult change. I can provide pointers a little later today.
d

dazzling-scientist-80826

05/29/2019, 7:08 PM
yeah, I was just going to hardcode the role arn i need in to getAWSSession
quick and dirty, but this got me my logs back:
Copy code
diff --git a/pkg/operations/operations_aws.go b/pkg/operations/operations_aws.go
index d319edcf..301bcbb4 100644
--- a/pkg/operations/operations_aws.go
+++ b/pkg/operations/operations_aws.go
@@ -21,6 +21,7 @@ import (
 
        "<http://github.com/aws/aws-sdk-go/aws|github.com/aws/aws-sdk-go/aws>"
        "<http://github.com/aws/aws-sdk-go/aws/credentials|github.com/aws/aws-sdk-go/aws/credentials>"
+       "<http://github.com/aws/aws-sdk-go/aws/credentials/stscreds|github.com/aws/aws-sdk-go/aws/credentials/stscreds>"
        "<http://github.com/aws/aws-sdk-go/aws/session|github.com/aws/aws-sdk-go/aws/session>"
        "<http://github.com/aws/aws-sdk-go/service/cloudwatchlogs|github.com/aws/aws-sdk-go/service/cloudwatchlogs>"
        "<http://github.com/pkg/errors|github.com/pkg/errors>"
@@ -165,7 +166,12 @@ func getAWSSession(awsRegion, awsAccessKey, awsSecretKey, token string) (*sessio
                extraConfig.Credentials = credentials.NewStaticCredentials(awsAccessKey, awsSecretKey, token)
        }
 
-       return awsDefaultSession.Copy(extraConfig), nil
+       sess := awsDefaultSession.Copy(extraConfig)
+       extraConfig2 := aws.NewConfig()
+       var err2 error
+       extraConfig2.Region = aws.String(awsRegion)
+       extraConfig2.Credentials, err2 = stscreds.NewCredentials(sess, "MY_ARN_HERE"), nil
+       return awsDefaultSession.Copy(extraConfig2), err2
 }
 
 func (p *awsConnection) getLogsForLogGroupsConcurrently(
Powered by