https://pulumi.com logo
#general
Title
# general
m

modern-bear-85657

07/30/2019, 10:02 PM
new
aws.Provider
via AssumeRole is not working. I’ve followed the example:
Copy code
// build provider with STS creds
const arProvider = new aws.Provider('other-account', {
    assumeRole: {
        roleArn: config.require('role_arn'),
        sessionName: 'name',
        externalId: 'id'
    },
    region: aws.config.requireRegion()
})

const ca = output(getCertificateAuthority(
    { arn: config.require('ca_arn') },
    { provider: arProvider }
))
Error: invocation of aws:acmpca/getCertificateAuthority:getCertificateAuthority returned an error: No valid credential sources found for AWS Provider.
I’ve validated that the role name is accurate and I have permissions to assume it via the aws cli.
b

bitter-oil-46081

07/31/2019, 12:01 AM
Interesting, I just tried the following:
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const provider = new aws.Provider("other-account", {
    assumeRole: {
        roleArn: "arn:aws:iam::[elided]",
        sessionName: "ellismg-assume-role-test",
    },
    region: "us-west-2",
});

(async () => {
    console.log(await aws.getCallerIdentity({provider: provider}));
})();
And things worked as expected (I can see that the resulting values show me my assumption of that role). I suspect that things will also fail for you if you just called
aws.getCallerIdentity
as well. How are your credentials configured? Are you seetting
AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
explicitly? Expecting them to be pulled from
~/.aws/credentials
, something else?
You might try passing
--debug
to
pulumi preview
or
pulumi up
which should provide some additional diagnostics, for example, I see:
Copy code
debug: Attempting to AssumeRole arn:aws:iam::[elided](SessionName: "ellismg-assume-role-test", ExternalId: "", Policy: "")
    debug: AWS Auth provider used: "SharedCredentialsProvider"
    debug: AWS Auth provider used: "AssumeRoleProvider"
m

modern-bear-85657

07/31/2019, 12:35 PM
@bitter-oil-46081 Thanks, I’ve tried adding
--debug
, but I’m not seeing anything obvious. Maybe this line?
Copy code
Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
Copy code
debug: Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
    debug: assume_role configuration set: (ARN: "arn:aws:iam::[...]", SessionID: "PCA-Request", ExternalID: "", Policy: "")
    debug: Building AWS auth structure
    debug: Setting AWS metadata API timeout to 100ms
    debug: Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
    debug: Attempting to AssumeRole arn:aws:iam::[...] (SessionName: "PCA-Request", ExternalId: "", Policy: "")
    debug: Invoke RPC finished: tok=aws:index/getCallerIdentity:getCallerIdentity; err: Error: 2 UNKNOWN: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: No valid credential sources found for AWS Provider.
Running locally, I’m using my creds at
~/.aws/credentials
with a specified profile. Here’s the result (redacted) of my cli test:
Copy code
$ aws sts assume-role --role-arn "arn:aws:iam::[...]" --role-session-name "PCA-Test" --region us-east-1 --profile [...]
{
    "Credentials": {
        "AccessKeyId": "[...]",
        "SecretAccessKey": "[...]",
        "SessionToken": "[...]",
        "Expiration": "2019-07-30T22:09:37Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "[...]:PCA-Test",
        "Arn": "arn:aws:sts::[...]/[...]/PCA-Test"
    }
}
Here’s my stack config:
Copy code
config:
  aws:profile: [...]
  aws:region: us-east-1
Is there anything else that I might be missing?
b

bitter-oil-46081

08/01/2019, 8:40 PM
Super confusing to me - @stocky-spoon-28903 @broad-dog-22463 Do you have any idea what would cause the assume role to not be working here?
m

modern-bear-85657

08/05/2019, 7:25 PM
@bitter-oil-46081 @stocky-spoon-28903 @broad-dog-22463 We work in a multi-account organization. So, assume-role functionality is crucial to us moving forward with Pulumi.
@stocky-spoon-28903 @broad-dog-22463 Could I get some help?
s

stocky-spoon-28903

08/07/2019, 7:03 PM
That looks like it is not detecting any ambient credentials. The
To assume a role with. If you hard code then in the provider does that work? That should narrow down the scope of investigation
It’s 9pm here, so I’m not around much longer though
m

modern-bear-85657

08/07/2019, 7:09 PM
Thanks. Could you elaborate on hard-coding the provider? After initializing it, I’m passing it in:
Copy code
// build provider with STS creds
const arProvider = new aws.Provider('other-account', {
    assumeRole: {
        roleArn: config.require('role_arn'),
        sessionName: 'name',
        externalId: 'id'
    },
    region: aws.config.requireRegion()
})

const ca = output(getCertificateAuthority(
    { arn: config.require('ca_arn') },
    { provider: arProvider }
))
s

stocky-spoon-28903

08/07/2019, 7:21 PM
You need credentials to assume the role with
So access key and secret key
e

elegant-crayon-4967

11/19/2019, 8:28 PM
Did this ever get resolved? I’m having the exact same issue