https://pulumi.com logo
Title
w

wide-jackal-86020

05/06/2021, 11:29 PM
Can anyone help me debug this?
l

little-cartoon-10569

05/06/2021, 11:42 PM
Have you searched your code, config etc. for that number? Any chance it's been hard-coded and typo-ed?
w

wide-jackal-86020

05/06/2021, 11:51 PM
Thanks! I searched everywhere. This is an account ID that I never seen.
I also generated a new AWS access token, still having the same issue.
l

little-cartoon-10569

05/06/2021, 11:53 PM
Hmm.. do you create an aws.Provider in your code? Maybe it has a wrong parameter being passed to it?
w

wide-jackal-86020

05/06/2021, 11:56 PM
No I didn't, but I have
.aws/credentials
and
.aws/config
in my home folder.
This might be a clue
aws:dynamodb:Table (documents_api-dev-templateRules):                                                                                                                                     
9206     error: 1 error occurred:                                                                                                                                                                
9207         * updating urn:pulumi:dev::documents_api::aws:dynamodb/table:Table::documents_api-dev-templateRules: error deleting DynamoDB Table (documents_api-dev-templateRules-baed8a8) Global      Secon                                                                                                                                                                                       
9208 dary Index (templateType-index): AccessDeniedException: User: arn:aws:sts::228886564947:assumed-role/AmazonLightsailInstanceRole/i-04f5fe371a036054d is not authorized to perform: dynamodb:     Updat                                                                                                                                                                                       
9209 eTable on resource: arn:aws:dynamodb:us-west-2:228886564947:table/documents_api-dev-templateRules-baed8a8                                                                                   
9210         status code: 400, request id: CAKO3PQ28DSCQM6FTMIVDT5VAJVV4KQNSO5AEMVJF66Q9ASUAAJG
AccessDeniedException: User: arn:aws:sts::228886564947:assumed-role/AmazonLightsailInstanceRole/i-04f5fe371a036054d
I am doing the deployment on a Lightsail instance.. Looks like it's using the instance role instead of the AWS account in
.aws
folder.
l

little-cartoon-10569

05/06/2021, 11:58 PM
Oh, it shouldn't do that. instance role is the lowest priority...
Maybe it's not running as the user you think it is?
I've done that...
w

wide-jackal-86020

05/06/2021, 11:59 PM
Good guess!
l

little-cartoon-10569

05/06/2021, 11:59 PM
?
w

wide-jackal-86020

05/07/2021, 12:09 AM
I tried the aws cli command, and it uses the correct credentials provided int the
.aws
folder.
I guess the AWS cli is able to find the config in
.aws
folder, but pulumi isn't.
The AWS profile setting might be broken.
config:
   aws:profile:
Pulumi version 3.2.1
I am using docker and the AWS config is installed in
/root/.aws
l

little-cartoon-10569

05/07/2021, 1:47 AM
Are you running pulumi using the root user? (Ideally you wouldn't, but that's not causing this problem.) If you're running as another use, then it won't using those creds. Are you setting aws:profile to blank? I don't know what that would do. Maybe set it to default? Or just don't set it?
w

wide-jackal-86020

05/07/2021, 2:11 AM
yes, I am running as root inside docker. I also tried outside of docker as a non-root user. But I am seeing the same problem.
removing the aws:profile will select the default was configuration, which will cause the same issue.
l

little-cartoon-10569

05/07/2021, 2:22 AM
So what profile does it need to be? Can you set it properly?