https://pulumi.com logo
Join Slack
Powered by
Seems like `pulumi up` isn't using the profile set...
# general
b
Seems like 
pulumi up
isn't using the profile set in the config? Pulumi.prod.yaml:
Copy code
secretsprovider: ....
encryptedkey: ...
config:
  aws:profile: prod-pa
  aws:region: us-east-1
I get this error:
Copy code
error: getting secrets manager: secrets (code=Unknown): AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
        status code: 400, request id: 91f0ea5d-cd55-44b0-8f4f-1413547fb896
I can describe the KMS successfully using:
Copy code
aws kms describe-key --key-id=65500644-e3e5-44be-b3ea-d3928b0af188 --profile=pa-prod
So this makes me think the profile isn't being provided?
f
Are you using that key to setup the encryption provider or are you accessing it in your code?
If for the encryption provider, I believe you’d have to have the auth setup locally to work similar to if you were using the 
go-sdk
. See: https://www.pulumi.com/docs/intro/concepts/config/#aws-key-management-service-kms. This is separate from the 
aws-profile
config value. That value is used for any resources in the stack itself.
I think if you set the profile environment variable like so it should work: 
AWS_PROFILE=pa-prod
I do think this seems like a valid point though. It wouldn’t be a bad assumption that if you’re using kms for encryption that it should respect the stack values as well.
b
yes, it's for the encryption provider
setting the profile env variable is producing the same results 😕
f
Hmm, that’s odd.. what region is the key in?
b
us-east-1
f
AWS_REGION=us-east-1
can you try to set that as well for the sake of debugging?
b
sure thing, 1 sec
Same issue
Just closed my console out and reopened it -- getting a new error now:
Copy code
error: getting secrets manager: secrets (code=Unknown): InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
        status code: 400, request id: 257a0c7f-303e-4a72-8ec8-a83bd6e19e9f
brb rebooting.
ok.. After rebooting setting the ENV variables directly is working
Second attempt is not working - ugh
l
@best-lifeguard-91445 your yaml lists 
prod-pa
where your command line mentions 
pa-prod
. Mismatch?
b
@limited-rainbow-51650 -- I corrected that already 🙂 thanks tho
f
you need to get your auth in a state where this works: 
aws kms describe-key --key-id={{key-id}}
does that currently work for you?
b
That works after setting the AWS_SECRET_ACCESS_KEY and ID in the current session
l
Is the KMS key in the same region as the resources being created? I once filed this against the underlying Terraform provider: https://github.com/terraform-providers/terraform-provider-aws/issues/7750 Could be related.
b
yes same region
RIngo "up" works, if I explicitly set the AWS credentials as env variables
FYI - The aforementioned errors were from a powershell prompt The CMD prompt is working differently: Setting AWS_PROFILE=pa-prod
Copy code
c:\Repos\pa\pa_infrastructure>pulumi up
error: getting secrets manager: secrets (code=Unknown): AccessDenied: User: arn:aws:iam::057043601195:user/pulumi-admin is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::057043601195:role/OrganizationAccountAccessRole
        status code: 403, request id: d634ecf0-d009-48a4-8d23-37ca566e371f
l
What do you get with using the 
AWS_ACCESS_KEY_ID
and 
AWS_SECRET_ACCES_KEY
environment variables from the 
pa-prod
profile in CMD prompt, also unsetting 
AWS_PROFILE
?
b
works fine
l
I would file a GH issue if I were you. This is definitely something to track down.
b
Will do! thanks @limited-rainbow-51650
2 Views
Open in Slack
PreviousNext
Powered by