This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

05/29/2019, 6:49 PM

This message was deleted.

dazzling-scientist-80826

05/29/2019, 6:53 PM

Verbose logging includes errors of the form

The specified log group does not exist

which makes sense if the aws calls are not doing the proper assume-role operation based on the provider

dazzling-scientist-80826

05/29/2019, 6:56 PM

looks like the code has a getAWSSession function that doesn’t properly respect the provider’s credentials - and a comment referencing https://github.com/pulumi/pulumi/issues/608

white-balloon-205

05/29/2019, 6:57 PM

white-balloon-205

05/29/2019, 6:57 PM

Are you using first class providers, or just default provider with a customer profile?

dazzling-scientist-80826

05/29/2019, 6:59 PM

first-class provider, but only because aws:profile config doesn’t seem to work (digging up the issue on that)

dazzling-scientist-80826

05/29/2019, 7:00 PM

this issue: https://github.com/pulumi/pulumi-aws/issues/252

dazzling-scientist-80826

05/29/2019, 7:00 PM

if that were fixed, i’d have have much lesser need for first-class providers (basically just one DNS record, instead of the complement: every resource except the dns record)

dazzling-scientist-80826

05/29/2019, 7:01 PM

but even still, i don’t think this logs impl supports assume role (with non-first-class providers), but i could be wrong

white-balloon-205

05/29/2019, 7:02 PM

No - it doesn’t - though I recall having a fix for that locally a few weeks ago.

dazzling-scientist-80826

05/29/2019, 7:04 PM

suggestions for how i should proceed in the short term? my least bad plan right now is to hack the go binary

dazzling-scientist-80826

05/29/2019, 7:05 PM

for logs, i mean - i used a first-class provider to work around the

aws:profile

config issue

white-balloon-205

05/29/2019, 7:07 PM

You mean to get logs working with first class providers? Unfortunately I don’t think there is going to be a workaround there other than to make the fix in

pulumi

. I expect it’s not a particularly difficult change. I can provide pointers a little later today.

dazzling-scientist-80826

05/29/2019, 7:08 PM

yeah, I was just going to hardcode the role arn i need in to getAWSSession

dazzling-scientist-80826

05/29/2019, 7:37 PM

quick and dirty, but this got me my logs back:

Copy code

diff --git a/pkg/operations/operations_aws.go b/pkg/operations/operations_aws.go
index d319edcf..301bcbb4 100644
--- a/pkg/operations/operations_aws.go
+++ b/pkg/operations/operations_aws.go
@@ -21,6 +21,7 @@ import (
 
        "<http://github.com/aws/aws-sdk-go/aws|github.com/aws/aws-sdk-go/aws>"
        "<http://github.com/aws/aws-sdk-go/aws/credentials|github.com/aws/aws-sdk-go/aws/credentials>"
+       "<http://github.com/aws/aws-sdk-go/aws/credentials/stscreds|github.com/aws/aws-sdk-go/aws/credentials/stscreds>"
        "<http://github.com/aws/aws-sdk-go/aws/session|github.com/aws/aws-sdk-go/aws/session>"
        "<http://github.com/aws/aws-sdk-go/service/cloudwatchlogs|github.com/aws/aws-sdk-go/service/cloudwatchlogs>"
        "<http://github.com/pkg/errors|github.com/pkg/errors>"
@@ -165,7 +166,12 @@ func getAWSSession(awsRegion, awsAccessKey, awsSecretKey, token string) (*sessio
                extraConfig.Credentials = credentials.NewStaticCredentials(awsAccessKey, awsSecretKey, token)
        }
 
-       return awsDefaultSession.Copy(extraConfig), nil
+       sess := awsDefaultSession.Copy(extraConfig)
+       extraConfig2 := aws.NewConfig()
+       var err2 error
+       extraConfig2.Region = aws.String(awsRegion)
+       extraConfig2.Credentials, err2 = stscreds.NewCredentials(sess, "MY_ARN_HERE"), nil
+       return awsDefaultSession.Copy(extraConfig2), err2
 }
 
 func (p *awsConnection) getLogsForLogGroupsConcurrently(

Open in Slack

Previous Next