No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Forbidden is a credentials iss - can you try and ensure that your credentials are ok?

it works for all the resources created without the provider(on the primary region)

ok, so you are saying this is the issue:

&gt; opts=pulumi.ResourceOptions(provider=provider)

Yes, I believe so.
I had a lot of other problems with the provider in the past.

so you went from pulumi-aws 3.x -&gt; 4.x ?

hey <@U01UUBYP9B4> so I just ran the following code:

```import pulumi
from pulumi_aws import s3, Provider

provider = Provider("my-provider", region="us-east-1")

# Create an AWS resource (S3 Bucket)
bucket = s3.Bucket('my-bucket', opts=pulumi.ResourceOptions(provider=provider))

# Export the name of the bucket
pulumi.export('bucket_name', bucket.id)```
and got the following result:

```▶ pulumi up
Previewing update (dev)

View Live: <https://app.pulumi.com/stack72/test-py-aws-issue/dev/previews/f64d91b4-6442-4aa1-a040-6f6515a09721>

     Type                     Name                   Plan
 +   pulumi:pulumi:Stack      test-py-aws-issue-dev  create
 +   ├─ pulumi:providers:aws  my-provider            create
 +   └─ aws:s3:Bucket         my-bucket              create

Resources:
    + 3 to create

Do you want to perform this update? yes
Updating (dev)

View Live: <https://app.pulumi.com/stack72/test-py-aws-issue/dev/updates/1>

     Type                     Name                   Status
 +   pulumi:pulumi:Stack      test-py-aws-issue-dev  created
 +   ├─ pulumi:providers:aws  my-provider            created
 +   └─ aws:s3:Bucket         my-bucket              created

Outputs:
    bucket_name: "my-bucket-74f8e6d"

Resources:
    + 3 created

Duration: 14s```

that forbidden is 100% from AWS not from Pulumi

can you check the bucket actually exists?

Hi Paul,
I tried to run this command with aws cli and everything works fine

❯ aws s3api get-bucket-policy --bucket prod-lightlytics-artifacts-us-west-2
{
    "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowPublicRead\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::prod-lightlytics-artifacts-us-west-2/*\"}]
}

So its possible it's related to this(The primary region works fine so it's very strange)

how are you setting your keys for Pulumi to use?

```config:
  aws:profile: prod
  aws:region: us-east-1```
in the stack conf file