best-lifeguard-91445
05/18/2020, 6:07 PMpulumi up
isn't using the profile set in the config?
Pulumi.prod.yaml:
secretsprovider: ....
encryptedkey: ...
config:
aws:profile: prod-pa
aws:region: us-east-1
I get this error:
error: getting secrets manager: secrets (code=Unknown): AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
status code: 400, request id: 91f0ea5d-cd55-44b0-8f4f-1413547fb896
I can describe the KMS successfully using:
aws kms describe-key --key-id=65500644-e3e5-44be-b3ea-d3928b0af188 --profile=pa-prod
So this makes me think the profile isn't being provided?future-barista-68134
05/18/2020, 6:32 PMgo-sdk
. See: https://www.pulumi.com/docs/intro/concepts/config/#aws-key-management-service-kms.
This is separate from the aws-profile
config value. That value is used for any resources in the stack itself.AWS_PROFILE=pa-prod
best-lifeguard-91445
05/18/2020, 6:41 PMfuture-barista-68134
05/18/2020, 6:46 PMbest-lifeguard-91445
05/18/2020, 6:46 PMfuture-barista-68134
05/18/2020, 6:47 PMAWS_REGION=us-east-1
best-lifeguard-91445
05/18/2020, 6:49 PMerror: getting secrets manager: secrets (code=Unknown): InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
status code: 400, request id: 257a0c7f-303e-4a72-8ec8-a83bd6e19e9f
limited-rainbow-51650
05/18/2020, 7:13 PMprod-pa
where your command line mentions pa-prod
. Mismatch?best-lifeguard-91445
05/18/2020, 7:15 PMfuture-barista-68134
05/18/2020, 7:17 PMaws kms describe-key --key-id={{key-id}}
best-lifeguard-91445
05/18/2020, 7:22 PMlimited-rainbow-51650
05/18/2020, 7:23 PMbest-lifeguard-91445
05/18/2020, 7:23 PMc:\Repos\pa\pa_infrastructure>pulumi up
error: getting secrets manager: secrets (code=Unknown): AccessDenied: User: arn:aws:iam::057043601195:user/pulumi-admin is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::057043601195:role/OrganizationAccountAccessRole
status code: 403, request id: d634ecf0-d009-48a4-8d23-37ca566e371f
limited-rainbow-51650
05/18/2020, 7:31 PMAWS_ACCESS_KEY_ID
and AWS_SECRET_ACCES_KEY
environment variables from the pa-prod
profile in CMD prompt, also unsetting AWS_PROFILE
?best-lifeguard-91445
05/18/2020, 7:35 PMlimited-rainbow-51650
05/18/2020, 7:37 PMbest-lifeguard-91445
05/18/2020, 7:48 PM