new `aws Provider` via AssumeRole is not working I ve follow Pulumi Community #general

new `aws.Provider` via AssumeRole is not working. ...

modern-bear-85657

07/30/2019, 10:02 PM

new

aws.Provider

via AssumeRole is not working. I’ve followed the example:

Copy code

// build provider with STS creds
const arProvider = new aws.Provider('other-account', {
    assumeRole: {
        roleArn: config.require('role_arn'),
        sessionName: 'name',
        externalId: 'id'
    },
    region: aws.config.requireRegion()
})

const ca = output(getCertificateAuthority(
    { arn: config.require('ca_arn') },
    { provider: arProvider }
))

Error: invocation of aws:acmpca/getCertificateAuthority:getCertificateAuthority returned an error: No valid credential sources found for AWS Provider.

I’ve validated that the role name is accurate and I have permissions to assume it via the aws cli.

bitter-oil-46081

07/31/2019, 12:01 AM

Interesting, I just tried the following:

Copy code

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const provider = new aws.Provider("other-account", {
    assumeRole: {
        roleArn: "arn:aws:iam::[elided]",
        sessionName: "ellismg-assume-role-test",
    },
    region: "us-west-2",
});

(async () => {
    console.log(await aws.getCallerIdentity({provider: provider}));
})();

And things worked as expected (I can see that the resulting values show me my assumption of that role). I suspect that things will also fail for you if you just called

aws.getCallerIdentity

as well. How are your credentials configured? Are you seetting

AWS_ACCESS_KEY_ID

and

AWS_SECRET_ACCESS_KEY

explicitly? Expecting them to be pulled from

~/.aws/credentials

, something else?

bitter-oil-46081

07/31/2019, 12:05 AM

You might try passing

--debug

pulumi preview

pulumi up

which should provide some additional diagnostics, for example, I see:

Copy code

debug: Attempting to AssumeRole arn:aws:iam::[elided](SessionName: "ellismg-assume-role-test", ExternalId: "", Policy: "")
    debug: AWS Auth provider used: "SharedCredentialsProvider"
    debug: AWS Auth provider used: "AssumeRoleProvider"

modern-bear-85657

07/31/2019, 12:35 PM

@bitter-oil-46081 Thanks, I’ve tried adding

--debug

, but I’m not seeing anything obvious. Maybe this line?

Copy code

Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id

modern-bear-85657

07/31/2019, 12:39 PM

Copy code

debug: Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
    debug: assume_role configuration set: (ARN: "arn:aws:iam::[...]", SessionID: "PCA-Request", ExternalID: "", Policy: "")
    debug: Building AWS auth structure
    debug: Setting AWS metadata API timeout to 100ms
    debug: Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
    debug: Attempting to AssumeRole arn:aws:iam::[...] (SessionName: "PCA-Request", ExternalId: "", Policy: "")
    debug: Invoke RPC finished: tok=aws:index/getCallerIdentity:getCallerIdentity; err: Error: 2 UNKNOWN: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: No valid credential sources found for AWS Provider.

modern-bear-85657

07/31/2019, 12:45 PM

Running locally, I’m using my creds at

~/.aws/credentials

with a specified profile. Here’s the result (redacted) of my cli test:

Copy code

$ aws sts assume-role --role-arn "arn:aws:iam::[...]" --role-session-name "PCA-Test" --region us-east-1 --profile [...]
{
    "Credentials": {
        "AccessKeyId": "[...]",
        "SecretAccessKey": "[...]",
        "SessionToken": "[...]",
        "Expiration": "2019-07-30T22:09:37Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "[...]:PCA-Test",
        "Arn": "arn:aws:sts::[...]/[...]/PCA-Test"
    }
}

modern-bear-85657

07/31/2019, 12:46 PM

Here’s my stack config:

Copy code

config:
  aws:profile: [...]
  aws:region: us-east-1

modern-bear-85657

08/01/2019, 3:50 PM

Is there anything else that I might be missing?

bitter-oil-46081

08/01/2019, 8:40 PM

Super confusing to me - @stocky-spoon-28903 @broad-dog-22463 Do you have any idea what would cause the assume role to not be working here?

modern-bear-85657

08/05/2019, 7:25 PM

@bitter-oil-46081 @stocky-spoon-28903 @broad-dog-22463 We work in a multi-account organization. So, assume-role functionality is crucial to us moving forward with Pulumi.

modern-bear-85657

08/07/2019, 6:53 PM

@stocky-spoon-28903 @broad-dog-22463 Could I get some help?

stocky-spoon-28903

08/07/2019, 7:03 PM

That looks like it is not detecting any ambient credentials. The

stocky-spoon-28903

08/07/2019, 7:04 PM

To assume a role with. If you hard code then in the provider does that work? That should narrow down the scope of investigation

stocky-spoon-28903

08/07/2019, 7:04 PM

It’s 9pm here, so I’m not around much longer though

modern-bear-85657

08/07/2019, 7:09 PM

Thanks. Could you elaborate on hard-coding the provider? After initializing it, I’m passing it in:

Copy code

// build provider with STS creds
const arProvider = new aws.Provider('other-account', {
    assumeRole: {
        roleArn: config.require('role_arn'),
        sessionName: 'name',
        externalId: 'id'
    },
    region: aws.config.requireRegion()
})

const ca = output(getCertificateAuthority(
    { arn: config.require('ca_arn') },
    { provider: arProvider }
))

stocky-spoon-28903

08/07/2019, 7:21 PM

You need credentials to assume the role with

stocky-spoon-28903

08/07/2019, 7:21 PM

So access key and secret key

elegant-crayon-4967

11/19/2019, 8:28 PM

Did this ever get resolved? I’m having the exact same issue

2 Views

Open in Slack

Previous Next