https://pulumi.com logo
Title
w

white-action-27798

04/20/2021, 8:17 AM
Hi All, I have a problem with my s3 buckets which created on external regions(with AWS provider). This problem happened probably because we upgrade the Pulumi version. We created the s3 buckets with this function below and evertythin works fine:
def create_region_external_s3_artifact_buckets():
    buckets = []
    regions = conf.require_object('externalRegions')
    regions.append(conf.require('primaryRegion'))
    for region in regions:
        provider = Provider(f's3-{region}-provider', region=region)
        bucket_conf = {"name": f'{ARTIFACTS_BUCKET}-{region}', "acl": None, "policy": PUBLIC_OBJECT_READ_FOR_BUCKET}
        name, tags = get_resource_name_by_convention(f'{ARTIFACTS_BUCKET}-{region}')
        policy = _handle_bucket_policy(name, bucket_conf)
        created_bucket = s3.Bucket(
            name,
            bucket=name,
            acl=bucket_conf.get('acl'),
            policy=policy,
            opts=pulumi.ResourceOptions(provider=provider)
        )
        buckets.append(created_bucket)
        pulumi.export(name, created_bucket.arn)
    return buckets
After I upgraded the Pulumi version to 3.0(and the pulumi-aws package), I tried to change something in the bucket but the operation failed . After that, I tried to run Pulumi refresh and I got this error message:
aws:s3:Bucket (prod-lightlytics-artifacts-us-east-1):
error: Preview failed: refreshing urn:pulumi:prod::lightlytics::aws:s3/bucket:bucket::prod-lightlytics-artifacts-us-east-1: 1 error occurred:
* error reading S3 Bucket (prod-lightlytics-artifacts-us-east-1): Forbidden: Forbidden
Do you have any idea why this is happening and how I overcome it? Thanks !!
b

broad-dog-22463

04/20/2021, 8:18 AM
Forbidden is a credentials iss - can you try and ensure that your credentials are ok?
w

white-action-27798

04/20/2021, 8:20 AM
it works for all the resources created without the provider(on the primary region)
b

broad-dog-22463

04/20/2021, 8:20 AM
ok, so you are saying this is the issue:
opts=pulumi.ResourceOptions(provider=provider)
w

white-action-27798

04/20/2021, 8:22 AM
Yes, I believe so. I had a lot of other problems with the provider in the past.
b

broad-dog-22463

04/20/2021, 8:23 AM
I am going to try and recreate this now
so you went from pulumi-aws 3.x -> 4.x ?
w

white-action-27798

04/20/2021, 8:30 AM
Yes
b

broad-dog-22463

04/20/2021, 8:32 AM
K trying now
hey @white-action-27798 so I just ran the following code:
import pulumi
from pulumi_aws import s3, Provider

provider = Provider("my-provider", region="us-east-1")

# Create an AWS resource (S3 Bucket)
bucket = s3.Bucket('my-bucket', opts=pulumi.ResourceOptions(provider=provider))

# Export the name of the bucket
pulumi.export('bucket_name', bucket.id)
and got the following result:
▶ pulumi up
Previewing update (dev)

View Live: <https://app.pulumi.com/stack72/test-py-aws-issue/dev/previews/f64d91b4-6442-4aa1-a040-6f6515a09721>

     Type                     Name                   Plan
 +   pulumi:pulumi:Stack      test-py-aws-issue-dev  create
 +   ├─ pulumi:providers:aws  my-provider            create
 +   └─ aws:s3:Bucket         my-bucket              create

Resources:
    + 3 to create

Do you want to perform this update? yes
Updating (dev)

View Live: <https://app.pulumi.com/stack72/test-py-aws-issue/dev/updates/1>

     Type                     Name                   Status
 +   pulumi:pulumi:Stack      test-py-aws-issue-dev  created
 +   ├─ pulumi:providers:aws  my-provider            created
 +   └─ aws:s3:Bucket         my-bucket              created

Outputs:
    bucket_name: "my-bucket-74f8e6d"

Resources:
    + 3 created

Duration: 14s
that forbidden is 100% from AWS not from Pulumi
can you check the bucket actually exists?
w

white-action-27798

04/20/2021, 8:44 AM
OK, I will check it out.
Hi Paul, I tried to run this command with aws cli and everything works fine
❯ aws s3api get-bucket-policy --bucket prod-lightlytics-artifacts-us-west-2 { "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowPublicRead\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws😒3:::prod-lightlytics-artifacts-us-west-2/*\"}] }
But I rotated the keys Yesterday,
So its possible it's related to this(The primary region works fine so it's very strange)
b

broad-dog-22463

04/20/2021, 9:01 AM
how are you setting your keys for Pulumi to use?
w

white-action-27798

04/20/2021, 9:37 AM
config:
  aws:profile: prod
  aws:region: us-east-1
in the stack conf file