https://pulumi.com logo
#general
Title
# general
c

chilly-hairdresser-56259

05/22/2020, 9:05 PM
Is anyone else out there having a rough time getting Pulumi to use aws Profiles? I have a shared credentials file in ~/.aws/credentials that has a default profile which has my access key and secret then I created another profile named sandbox which references a role_arn and source_profile of default. In the pulumi config I set aws:profile to use sandbox. However when I do a pulumi preview and write out the callidentity is still pointed to my main account.
b

best-lifeguard-91445

05/22/2020, 9:06 PM
Yep. I have this exact problem. It's being tracked here: https://github.com/pulumi/pulumi/issues/4665
👍 1
c

chilly-hairdresser-56259

05/22/2020, 9:08 PM
yuck. Ok was hoping this would work since I am putting this in a pipeline to manage multiple accounts..
I mean technically I could within the program to an STS Assume role, but that is extra code that really shouldnt be needed.
just need the boto3 import for python
meh then you add a bunch of extra code cause pulumi doesn't recognize it
b

billowy-army-68599

05/22/2020, 9:13 PM
just out of interest, does it work with the
AWS_PROFILE
environment variable?
the linked issue is related to the secrets providers, which is a slightly different issue than the engine execution
s

sparse-state-34229

05/22/2020, 9:13 PM
try that?
maybe not super relevant
c

chilly-hairdresser-56259

05/22/2020, 9:15 PM
@billowy-army-68599 no I tried both setting just Environment Variable and aws:profile, then also setting both
b

billowy-army-68599

05/22/2020, 9:16 PM
hmm that's interesting, I
I have a similar setup and it seems to work fine
c

chilly-hairdresser-56259

05/22/2020, 9:17 PM
I can manually using the same config do an STS:Assume Role call and get back temp creds. Just Pulumi isn't recognizing the Profile to assume
using v2.2.1
Cred FIle
b

billowy-army-68599

05/22/2020, 9:22 PM
Can you open an issue in Pulumi/pulumi for this, I’d like to track it
c

chilly-hairdresser-56259

05/22/2020, 9:22 PM
ok
b

billowy-army-68599

05/22/2020, 9:24 PM
I’m also assuming you’re using the aws provider?
c

chilly-hairdresser-56259

05/22/2020, 9:26 PM
Yes. Version 2.4.0
python 3.7.7
m

microscopic-article-39213

05/24/2020, 2:23 AM
I think I am hitting the same issue. Fresh Pulumi / awscli installed. I have profiles configured correctly, and the Pulumi stack configured to use a working profile. Consistently seeing:
s

strong-plastic-28250

05/24/2020, 3:19 PM
You should print the getcallidentity accountid see if you are working in the expected account @microscopic-article-39213
m

microscopic-article-39213

05/26/2020, 2:17 AM
@chilly-hairdresser-56259 Attempting to call
aws.getCallerIdentity
fails with the same error as above: The
pulumi diagnostic
line prints out the named profile I want to use, which confirms to me that Pulumi knows about the named profile configured, but it does not seem to be using it. Using that named profile with aws-cli directly works fine ala:
aws s3 ls --profile=<profile name>
Happy to try other things to help debug.
c

chilly-hairdresser-56259

05/28/2020, 2:26 PM
Im going to start looking at this again today, try to figure out if maybe I am doing something wrong and comment on the github issue if I find anything.
@billowy-army-68599 I put in place a work around with aws-vault, not ideal, but it works. @microscopic-article-39213
👍 1
b

billowy-army-68599

05/28/2020, 4:19 PM
thanks, I didn't get time to look at this yet, but would appreciate a comment on the issue with your workaround
👍 1
c

chilly-hairdresser-56259

05/28/2020, 4:19 PM
will do thanks