This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

11/26/2020, 2:46 AM

This message was deleted.

little-cartoon-10569

11/26/2020, 2:49 AM

Are you using a cloud backend? You'll need those creds, at least...

breezy-butcher-78604

11/26/2020, 2:49 AM

i've got the pulumi API key, just not AWS creds

breezy-butcher-78604

11/26/2020, 2:50 AM

i'd like to be able to do a preview in a CI/CD pipeline without providing AWS credentials

breezy-butcher-78604

11/26/2020, 2:50 AM

but it seems the underlying terraform provider needs some kind of credentials to run:

Copy code

error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

    Please see <https://registry.terraform.io/providers/hashicorp/aws>
    for more information about providing credentials.

    Error: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

little-cartoon-10569

11/26/2020, 2:52 AM

Seems to be working for me, though I can't be sure because I'm in the middle of some changes and the code isn't totally valid...

little-cartoon-10569

11/26/2020, 2:54 AM

Yea, when I comment out AWS_PROFILE from my Docker environment, my

pulumi preview

doesn't complain about auth, and gives me valid differences between code and state

little-cartoon-10569

11/26/2020, 2:55 AM

When I comment out PULUMI_ACCESS_TOKEN, I'm getting

error: Preview failed: constructing secrets manager of type "cloud": secrets (code=Unknown): NoCredentialProviders: no valid providers in chain. Deprecated.

For verbose messaging see aws.Config.CredentialsChainVerboseErrors

little-cartoon-10569

11/26/2020, 2:55 AM

At first glance, it seems to work. Do you use the AWS SDK, or anything else that might need AWS creds?

little-cartoon-10569

11/26/2020, 2:58 AM

Check your Pulumi.yaml (is there a backend that mentions s3?) and Pulumi.<stack>.yaml (is there a secretsprovider that mentions awskms?).

breezy-butcher-78604

11/26/2020, 3:01 AM

nothing in Pulumi.yaml about a different backend and definitely no secrets provider

breezy-butcher-78604

11/26/2020, 3:02 AM

something i've just noticed though is the error i pasted above seems to occur while it's computing an

aws.iam.Role

breezy-butcher-78604

11/26/2020, 3:03 AM

this is the code for the specific role:

Copy code

const instanceRole = new aws.iam.Role(`${stack}-instance-role`, {
    assumeRolePolicy: {
        Version: "2012-10-17",
        Statement: [{
            Sid: "AllowEc2",
            Principal: { Service: "<http://ec2.amazonaws.com|ec2.amazonaws.com>" },
            Effect: "Allow",
            Action: "sts:AssumeRole"
        }]
    }
});

breezy-butcher-78604

11/26/2020, 3:03 AM

its not making any calls to the AWS API so i dont understand why it'd be complaining

little-cartoon-10569

11/26/2020, 3:06 AM

Sorry, we've reached the limits of my knowledge. I'll leave AWS_PROFILE and AWS_SDK_LOAD_CONFIG commented out in my docker compose file; as I fix unrelated issues in my code, I might get closer to where you are.

breezy-butcher-78604

11/26/2020, 3:06 AM

no worries - thanks for your help

👍 1

little-cartoon-10569

11/26/2020, 3:20 AM

I've fixed all my errors, and now I am seeing the same thing. If I comment out AWS_PROFILE and run

docker-compose run puluimi/pulumi-nodejs preview

then I do see

error: Preview failed: constructing secrets manager of type "cloud": secrets (code=Unknown): NoCredentialProviders: no valid providers in chain. Deprecated.

For verbose messaging see aws.Config.CredentialsChainVerboseErrors

I'm using the default Pulumi backend and secretsprovider.

breezy-butcher-78604

11/26/2020, 3:47 AM

so i gave pulumi some dummy creds - valid credentials to talk to AWS but with zero permissions to actually do anything and now i'm getting the following:

Copy code

Diagnostics:                                                                                                                             
  aws:iam:Role (dev-instance-role):                                                                                              
    error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidC
lientTokenId: The security token included in the request is invalid.                                                                     
        status code: 403, request id: 71f62027-ddf8-4f43-a017-54b2c5bf88a2

breezy-butcher-78604

11/26/2020, 3:47 AM

so it seems just creating a role causes Pulumi (via terraform) to make calls the AWS API

breezy-butcher-78604

11/26/2020, 3:48 AM

meaning it will require creds to do the preview

little-cartoon-10569

11/26/2020, 3:51 AM

Hmm. That should be fixable. As I understand it, Pulumi don't use the provider directly, they build their provider from the Terraform one. They probably wouldn't want to fix it though, they'd rather suck in new, fixed Terraform code and stay in sync with the upstream code...

little-cartoon-10569

11/26/2020, 3:52 AM

Which means, to get this fixed, you'd have to raise an issue against terraform-aws.

90 Views

Open in Slack

Previous Next