seems like `pulumi logs` returns no logs for funct...
# general
seems like
pulumi logs
returns no logs for functions that were created with an aws provider that does assume-role - is this a known issue? is there a workaround?
Verbose logging includes errors of the form
The specified log group does not exist
which makes sense if the aws calls are not doing the proper assume-role operation based on the provider
looks like the code has a getAWSSession function that doesn’t properly respect the provider’s credentials - and a comment referencing
Are you using first class providers, or just default provider with a customer profile?
first-class provider, but only because aws:profile config doesn’t seem to work (digging up the issue on that)
if that were fixed, i’d have have much lesser need for first-class providers (basically just one DNS record, instead of the complement: every resource except the dns record)
but even still, i don’t think this logs impl supports assume role (with non-first-class providers), but i could be wrong
No - it doesn’t - though I recall having a fix for that locally a few weeks ago.
suggestions for how i should proceed in the short term? my least bad plan right now is to hack the go binary
for logs, i mean - i used a first-class provider to work around the
config issue
You mean to get logs working with first class providers? Unfortunately I don’t think there is going to be a workaround there other than to make the fix in
. I expect it’s not a particularly difficult change. I can provide pointers a little later today.
yeah, I was just going to hardcode the role arn i need in to getAWSSession
quick and dirty, but this got me my logs back:
Copy code
diff --git a/pkg/operations/operations_aws.go b/pkg/operations/operations_aws.go
index d319edcf..301bcbb4 100644
--- a/pkg/operations/operations_aws.go
+++ b/pkg/operations/operations_aws.go
@@ -21,6 +21,7 @@ import (
+       "<|>"
@@ -165,7 +166,12 @@ func getAWSSession(awsRegion, awsAccessKey, awsSecretKey, token string) (*sessio
                extraConfig.Credentials = credentials.NewStaticCredentials(awsAccessKey, awsSecretKey, token)
-       return awsDefaultSession.Copy(extraConfig), nil
+       sess := awsDefaultSession.Copy(extraConfig)
+       extraConfig2 := aws.NewConfig()
+       var err2 error
+       extraConfig2.Region = aws.String(awsRegion)
+       extraConfig2.Credentials, err2 = stscreds.NewCredentials(sess, "MY_ARN_HERE"), nil
+       return awsDefaultSession.Copy(extraConfig2), err2
 func (p *awsConnection) getLogsForLogGroupsConcurrently(