https://pulumi.com logo
#general
Title
# general
r

ripe-dinner-40604

09/16/2019, 6:44 PM
Is there documentation on the credentials needed for a Pulumi preview command? I'd like to set up CI to preview with minimal permissions
b

broad-dog-22463

09/16/2019, 6:48 PM
Hi @ripe-dinner-40604, The credentials will still be the same required, i.e. if AWS then we need ACCESS_KEY_ID and SECRET_ACCESS_KEY etc
r

ripe-dinner-40604

09/16/2019, 6:52 PM
I mean the permissions that the AWS role would require
I'm going to make a special role with minimal IAM permissions preferably read-only since it's a
preview
Sorry that was a poorly worded question 🙂
b

broad-dog-22463

09/16/2019, 6:54 PM
so that all depends on what your pulumi program is doing - IAM permissions / policies will be specific to each of the providers. So there is no base that we can suggest
r

ripe-dinner-40604

09/16/2019, 6:55 PM
Okay, can you confirm that it doesn't need write permissions to the objects ?
e.g.
Copy code
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "iam:Get*",
      "iam:List*",
      "iam:Generate*"
    ],
    "Resource": "*"
  }
}
After creating permissions for other resources than iam, I'm getting an interesting error on my Kubernetes preview
Copy code
❯ pulumi preview
Previewing update (dev):

     Type                                       Name         Plan     Info
     pulumi:pulumi:Stack                        kubiome-dev
     └─ kubernetes:<http://storage.k8s.io:StorageClass|storage.k8s.io:StorageClass>  fsx-sc                1 error

Diagnostics:
  kubernetes:<http://storage.k8s.io:StorageClass|storage.k8s.io:StorageClass> (fsx-sc):
    error: Failed to check for changes in resource default/fsx-sc because of an error communicating with the API server: the server has asked for the client to provide credentials