modern-bear-85657
07/30/2019, 10:02 PMaws.Provider
via AssumeRole is not working. I’ve followed the example:
// build provider with STS creds
const arProvider = new aws.Provider('other-account', {
assumeRole: {
roleArn: config.require('role_arn'),
sessionName: 'name',
externalId: 'id'
},
region: aws.config.requireRegion()
})
const ca = output(getCertificateAuthority(
{ arn: config.require('ca_arn') },
{ provider: arProvider }
))
Error: invocation of aws:acmpca/getCertificateAuthority:getCertificateAuthority returned an error: No valid credential sources found for AWS Provider.
I’ve validated that the role name is accurate and I have permissions to assume it via the aws cli.bitter-oil-46081
07/31/2019, 12:01 AMimport * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const provider = new aws.Provider("other-account", {
assumeRole: {
roleArn: "arn:aws:iam::[elided]",
sessionName: "ellismg-assume-role-test",
},
region: "us-west-2",
});
(async () => {
console.log(await aws.getCallerIdentity({provider: provider}));
})();
And things worked as expected (I can see that the resulting values show me my assumption of that role). I suspect that things will also fail for you if you just called aws.getCallerIdentity
as well.
How are your credentials configured? Are you seetting AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
explicitly? Expecting them to be pulled from ~/.aws/credentials
, something else?--debug
to pulumi preview
or pulumi up
which should provide some additional diagnostics, for example, I see:
debug: Attempting to AssumeRole arn:aws:iam::[elided](SessionName: "ellismg-assume-role-test", ExternalId: "", Policy: "")
debug: AWS Auth provider used: "SharedCredentialsProvider"
debug: AWS Auth provider used: "AssumeRoleProvider"
modern-bear-85657
07/31/2019, 12:35 PM--debug
, but I’m not seeing anything obvious. Maybe this line?
Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
debug: Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
debug: assume_role configuration set: (ARN: "arn:aws:iam::[...]", SessionID: "PCA-Request", ExternalID: "", Policy: "")
debug: Building AWS auth structure
debug: Setting AWS metadata API timeout to 100ms
debug: Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
debug: Attempting to AssumeRole arn:aws:iam::[...] (SessionName: "PCA-Request", ExternalId: "", Policy: "")
debug: Invoke RPC finished: tok=aws:index/getCallerIdentity:getCallerIdentity; err: Error: 2 UNKNOWN: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: No valid credential sources found for AWS Provider.
~/.aws/credentials
with a specified profile. Here’s the result (redacted) of my cli test:
$ aws sts assume-role --role-arn "arn:aws:iam::[...]" --role-session-name "PCA-Test" --region us-east-1 --profile [...]
{
"Credentials": {
"AccessKeyId": "[...]",
"SecretAccessKey": "[...]",
"SessionToken": "[...]",
"Expiration": "2019-07-30T22:09:37Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "[...]:PCA-Test",
"Arn": "arn:aws:sts::[...]/[...]/PCA-Test"
}
}
config:
aws:profile: [...]
aws:region: us-east-1
bitter-oil-46081
08/01/2019, 8:40 PMmodern-bear-85657
08/05/2019, 7:25 PMstocky-spoon-28903
08/07/2019, 7:03 PMmodern-bear-85657
08/07/2019, 7:09 PM// build provider with STS creds
const arProvider = new aws.Provider('other-account', {
assumeRole: {
roleArn: config.require('role_arn'),
sessionName: 'name',
externalId: 'id'
},
region: aws.config.requireRegion()
})
const ca = output(getCertificateAuthority(
{ arn: config.require('ca_arn') },
{ provider: arProvider }
))
stocky-spoon-28903
08/07/2019, 7:21 PMelegant-crayon-4967
11/19/2019, 8:28 PM