https://pulumi.com logo
#general
Title
# general
b

best-lifeguard-91445

05/18/2020, 6:07 PM
Seems like
pulumi up
isn't using the profile set in the config? Pulumi.prod.yaml:
Copy code
secretsprovider: ....
encryptedkey: ...
config:
  aws:profile: prod-pa
  aws:region: us-east-1
I get this error:
Copy code
error: getting secrets manager: secrets (code=Unknown): AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
        status code: 400, request id: 91f0ea5d-cd55-44b0-8f4f-1413547fb896
I can describe the KMS successfully using:
Copy code
aws kms describe-key --key-id=65500644-e3e5-44be-b3ea-d3928b0af188 --profile=pa-prod
So this makes me think the profile isn't being provided?
f

future-barista-68134

05/18/2020, 6:32 PM
Are you using that key to setup the encryption provider or are you accessing it in your code?
If for the encryption provider, I believe you’d have to have the auth setup locally to work similar to if you were using the
go-sdk
. See: https://www.pulumi.com/docs/intro/concepts/config/#aws-key-management-service-kms. This is separate from the
aws-profile
config value. That value is used for any resources in the stack itself.
I think if you set the profile environment variable like so it should work:
AWS_PROFILE=pa-prod
I do think this seems like a valid point though. It wouldn’t be a bad assumption that if you’re using kms for encryption that it should respect the stack values as well.
b

best-lifeguard-91445

05/18/2020, 6:41 PM
yes, it's for the encryption provider
setting the profile env variable is producing the same results 😕
f

future-barista-68134

05/18/2020, 6:46 PM
Hmm, that’s odd.. what region is the key in?
b

best-lifeguard-91445

05/18/2020, 6:46 PM
us-east-1
f

future-barista-68134

05/18/2020, 6:47 PM
AWS_REGION=us-east-1
can you try to set that as well for the sake of debugging?
b

best-lifeguard-91445

05/18/2020, 6:49 PM
sure thing, 1 sec
Same issue
Just closed my console out and reopened it -- getting a new error now:
Copy code
error: getting secrets manager: secrets (code=Unknown): InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
        status code: 400, request id: 257a0c7f-303e-4a72-8ec8-a83bd6e19e9f
brb rebooting.
ok.. After rebooting setting the ENV variables directly is working
Second attempt is not working - ugh
l

limited-rainbow-51650

05/18/2020, 7:13 PM
@best-lifeguard-91445 your yaml lists
prod-pa
where your command line mentions
pa-prod
. Mismatch?
b

best-lifeguard-91445

05/18/2020, 7:15 PM
@limited-rainbow-51650 -- I corrected that already 🙂 thanks tho
f

future-barista-68134

05/18/2020, 7:17 PM
you need to get your auth in a state where this works:
aws kms describe-key --key-id={{key-id}}
does that currently work for you?
b

best-lifeguard-91445

05/18/2020, 7:22 PM
That works after setting the AWS_SECRET_ACCESS_KEY and ID in the current session
l

limited-rainbow-51650

05/18/2020, 7:23 PM
Is the KMS key in the same region as the resources being created? I once filed this against the underlying Terraform provider: https://github.com/terraform-providers/terraform-provider-aws/issues/7750 Could be related.
b

best-lifeguard-91445

05/18/2020, 7:23 PM
yes same region
RIngo "up" works, if I explicitly set the AWS credentials as env variables
FYI - The aforementioned errors were from a powershell prompt The CMD prompt is working differently: Setting AWS_PROFILE=pa-prod
Copy code
c:\Repos\pa\pa_infrastructure>pulumi up
error: getting secrets manager: secrets (code=Unknown): AccessDenied: User: arn:aws:iam::057043601195:user/pulumi-admin is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::057043601195:role/OrganizationAccountAccessRole
        status code: 403, request id: d634ecf0-d009-48a4-8d23-37ca566e371f
l

limited-rainbow-51650

05/18/2020, 7:31 PM
What do you get with using the
AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCES_KEY
environment variables from the
pa-prod
profile in CMD prompt, also unsetting
AWS_PROFILE
?
b

best-lifeguard-91445

05/18/2020, 7:35 PM
works fine
l

limited-rainbow-51650

05/18/2020, 7:37 PM
I would file a GH issue if I were you. This is definitely something to track down.
b

best-lifeguard-91445

05/18/2020, 7:48 PM
Will do! thanks @limited-rainbow-51650
2 Views