01/28/2020, 12:19 AM
Hi All- I'm getting my feet with Pulumi on AWS. We use roles for interacting with AWS APIs, and they have a hard timeout of 1 hour. I'm also using S3 as the backend at the moment. I'm wondering what advice you might have that would help me deal with STS token timeouts during a stack deployment? For example, if I have an STS token that's valid for another 15 minutes, and I run a
pulumi up
that might take 30 minutes, about half way through Pulumi will lose access to the S3 bucket backend, and then it gets all sorts of confused. Is there any way to launch asynchronous deployments with a non-SaaS backend? With CloudFormation, it submits the stack to AWS and runs asynchronously, so your token only needs to be valid for the length of time it takes to run
. I'm kind of hoping for something similar for Pulumi.
Happy to take this to the #aws channel if that's a better place for it.


01/28/2020, 3:26 AM
Sounds like the issue is the "hard limit" of the 1 hour situation. I'd work to get that fixed first, but past that, theres no way for pulumi to check your session and send a request to some outside system asking for a refresh? Wont happen.. so, what you should try is see what happens if you manually update the role variables during execution of pulumi. My guess is that you'll want to use some type of side process that is checking the creds and refreshing them as needed. Or maybe, you use a script to get temp creds, write them to a file, and update that file. Something like that. Pulumi uses the terraform providers, and those make a bunch of individual calls so your question about a single asynchronous call is not likely to happen, unfortunately.
Of course it's possible for them to change their program to handle something like this, but seems like it's out of scope. Maybe check for a program that will refresh creds automatically? Maybe one is out there.


01/28/2020, 4:32 AM
Thanks -I'll have a poke around.


01/28/2020, 9:26 AM
@great-vr-65723 2.5 year open issue on the TF front: Since the pulumi provider is based on the TF one, this issue is applicable here too.