Hi All I have a problem with my s3 buckets which created on

Question

Hi All I have a problem with my s3 buckets which created on external regions with AWS provider This problem happened probably because we upgrade the Pulumi version We created the s3 buckets with this function below and evertythin works fine ```def create region external s3 artifact buckets buckets = regions = conf require object externalRegions regions append conf require primaryRegion for region in regions provider = Provider f s3 region provider region=region bucket conf = name f ARTIFACTS BUCKET region acl None policy PUBLIC OBJECT READ FOR BUCKET name tags = get resource name by convention f ARTIFACTS BUCKET region policy = handle bucket policy name bucket conf created bucket = s3 Bucket name bucket=name acl=bucket conf get acl policy=policy opts=pulumi ResourceOptions provider=provider buckets append created bucket pulumi export name created bucket arn return buckets``` After I upgraded the Pulumi version to 3 0 and the pulumi aws package I tried to change something in the bucket but the operation failed After that I tried to run Pulumi refresh and I got this error message `aws s3 Bucket prod lightlytics artifacts us east 1 ` `error Preview failed refreshing urn pulumi prod lightlytics aws s3 bucket bucket prod lightlytics artifacts us east 1 1 error occurred ` ` error reading S3 Bucket prod lightlytics artifacts us east 1 Forbidden Forbidden` Do you have any idea why this is happening and how I overcome it Thanks

broad-dog-22463 · Answer

Forbidden is a credentials iss can you try and ensure that your credentials are ok

white-action-27798 · Answer

it works for all the resources created without the provider on the primary region

broad-dog-22463 · Answer

ok so you are saying this is the issue gt opts=pulumi ResourceOptions provider=provider

white-action-27798 · Answer

Yes I believe so I had a lot of other problems with the provider in the past

broad-dog-22463 · Answer

I am going to try and recreate this now

broad-dog-22463 · Answer

so you went from pulumi aws 3 x gt 4 x

white-action-27798 · Answer

Yes

broad-dog-22463 · Answer

K trying now

broad-dog-22463 · Answer

hey < white action 27798> so I just ran the following code ```import pulumi from pulumi aws import s3 Provider provider = Provider my provider region= us east 1 Create an AWS resource S3 Bucket bucket = s3 Bucket my bucket opts=pulumi ResourceOptions provider=provider Export the name of the bucket pulumi export bucket name bucket id ``` and got the following result

broad-dog-22463 · Answer

``` pulumi up Previewing update dev View Live Type Name Plan + pulumi pulumi Stack test py aws issue dev create + pulumi providers aws my provider create + aws s3 Bucket my bucket create Resources + 3 to create Do you want to perform this update yes Updating dev View Live Type Name Status + pulumi pulumi Stack test py aws issue dev created + pulumi providers aws my provider created + aws s3 Bucket my bucket created Outputs bucket name my bucket 74f8e6d Resources + 3 created Duration 14s```

broad-dog-22463 · Answer

that forbidden is 100 from AWS not from Pulumi

broad-dog-22463 · Answer

can you check the bucket actually exists

white-action-27798 · Answer

OK I will check it out

white-action-27798 · Answer

Hi Paul I tried to run this command with aws cli and everything works fine

white-action-27798 · Answer

aws s3api get bucket policy bucket prod lightlytics artifacts us west 2 Policy Version 2012 10 17 Statement Sid AllowPublicRead Effect Allow Principal AWS Action s3 GetObject Resource arn aws s3 prod lightlytics artifacts us west 2

white-action-27798 · Answer

But I rotated the keys Yesterday

white-action-27798 · Answer

So its possible it s related to this The primary region works fine so it s very strange

broad-dog-22463 · Answer

how are you setting your keys for Pulumi to use

white-action-27798 · Answer

```config aws profile prod aws region us east 1``` in the stack conf file