Is anyone else out there having a rough time getti...
# generalc
chilly-hairdresser-56259
05/22/2020, 9:05 PMIs anyone else out there having a rough time getting Pulumi to use aws Profiles? I have a shared credentials file in ~/.aws/credentials that has a default profile which has my access key and secret then I created another profile named sandbox which references a role_arn and source_profile of default. In the pulumi config I set aws:profile to use sandbox. However when I do a pulumi preview and write out the callidentity is still pointed to my main account.
b
best-lifeguard-91445
05/22/2020, 9:06 PMYep. I have this exact problem. It's being tracked here:
https://github.com/pulumi/pulumi/issues/4665
👍 1
c
chilly-hairdresser-56259
05/22/2020, 9:08 PMyuck. Ok was hoping this would work since I am putting this in a pipeline to manage multiple accounts..
chilly-hairdresser-56259
05/22/2020, 9:11 PMI mean technically I could within the program to an STS Assume role, but that is extra code that really shouldnt be needed.
chilly-hairdresser-56259
05/22/2020, 9:11 PMjust need the boto3 import for python
chilly-hairdresser-56259
05/22/2020, 9:12 PMmeh then you add a bunch of extra code cause pulumi doesn't recognize it
b
billowy-army-68599
05/22/2020, 9:13 PM
just out of interest, does it work with the
AWS_PROFILEbillowy-army-68599
05/22/2020, 9:13 PM
the linked issue is related to the secrets providers, which is a slightly different issue than the engine execution
s
sparse-state-34229
05/22/2020, 9:13 PMsparse-state-34229
05/22/2020, 9:13 PMtry that?
sparse-state-34229
05/22/2020, 9:14 PMmaybe not super relevant
c
chilly-hairdresser-56259
05/22/2020, 9:15 PM@billowy-army-68599 no I tried both setting just Environment Variable and aws:profile, then also setting both
b
billowy-army-68599
05/22/2020, 9:16 PM
hmm that's interesting, I
billowy-army-68599
05/22/2020, 9:16 PM
I have a similar setup and it seems to work fine
c
chilly-hairdresser-56259
05/22/2020, 9:17 PMI can manually using the same config do an STS:Assume Role call and get back temp creds. Just Pulumi isn't recognizing the Profile to assume
chilly-hairdresser-56259
05/22/2020, 9:20 PMusing v2.2.1
chilly-hairdresser-56259
05/22/2020, 9:22 PMCred FIle
b
billowy-army-68599
05/22/2020, 9:22 PM
Can you open an issue in Pulumi/pulumi for this, I’d like to track it
c
chilly-hairdresser-56259
05/22/2020, 9:22 PMok
b
billowy-army-68599
05/22/2020, 9:24 PM
I’m also assuming you’re using the aws provider?
c
chilly-hairdresser-56259
05/22/2020, 9:26 PMchilly-hairdresser-56259
05/22/2020, 9:26 PMYes. Version 2.4.0
chilly-hairdresser-56259
05/22/2020, 9:31 PMpython 3.7.7
m
microscopic-article-39213
05/24/2020, 2:23 AMI think I am hitting the same issue. Fresh Pulumi / awscli installed. I have profiles configured correctly, and the Pulumi stack configured to use a working profile. Consistently seeing:
s
strong-plastic-28250
05/24/2020, 3:19 PMYou should print the getcallidentity accountid see if you are working in the expected account @microscopic-article-39213
m
microscopic-article-39213
05/26/2020, 2:17 AM@chilly-hairdresser-56259
Attempting to call
aws.getCallerIdentitypulumi diagnosticaws s3 ls --profile=<profile name>c
chilly-hairdresser-56259
05/28/2020, 2:26 PMIm going to start looking at this again today, try to figure out if maybe I am doing something wrong and comment on the github issue if I find anything.
chilly-hairdresser-56259
05/28/2020, 4:19 PM@billowy-army-68599 I put in place a work around with aws-vault, not ideal, but it works. @microscopic-article-39213
👍 1
b
billowy-army-68599
05/28/2020, 4:19 PM
thanks, I didn't get time to look at this yet, but would appreciate a comment on the issue with your workaround
👍 1
c
chilly-hairdresser-56259
05/28/2020, 4:19 PMwill do thanks
19 Views