https://pulumi.com logo
Title
s

shy-waiter-84958

05/25/2021, 4:10 PM
Is there a easy way to update the AWS provider
pulumi:providers:aws
in the stack state (aside from export, delete, import). If you remove (below) the AWS profile config
pulumi config rm aws:profile
it seems to persist in state regardless of what I try unless manually deleted
config:
  aws:profile: someProfile
I'm trying to keep it simple for devs so they don't have to switch between roles (we have several accounts) for each local deploy/testing, but in our automated pipeline we're running
pulumi config rm aws:profile
before
pulumi up --non-interactive -y
as we have instances in each specific account with a IAM Profile attached to provide the needed credentials to run the pulumi updates. But it's keeping that config in the state (tried a
pulumi refresh
) but keep getting
error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
on any refresh/up attempts on any machine that doesn't have the previously set AWS profile configured locally
b

billowy-army-68599

05/25/2021, 4:59 PM
each resources has a provider associated with it, it's either explicitly created (using the provider opts) or done at the stack level - what about the provider do you need to change?
if need to use profiles, I'd recommend setting the
AWS_PROFILE
env var instead of configuring it via the config
s

shy-waiter-84958

05/25/2021, 5:18 PM
Using
AWS_PROFILE
kind of defeats what I was trying to achieve (unless you mean set it in code instead of via the stack config yaml), hopefully this makes what I'm attempting easier to read • We have multiple accounts and multiple access levels in each account. (e.g. Account/Admin, Account/Engineer, etc...) • We already use a tool called saml2aws for temp credentials in managing these multiple roles and running AWS commands (e.g.
saml2aws exec --exec-profile Account/Admin -- pulumi up
) • Using the pulumi config
aws:profile Account/Admin
for example, means when doing local testing across mutliple projects we only have to run
pulumi up
in each project without having to identify which account/role it belongs to The issue is, it seems once you use the pulumi config
aws:profile Account/Admin
it stays that way. If you remove it and run refresh/update and pass the creds another way, it stays set at that way. The only way I have managed to change or remove that setting after it makes it to the state file is to export, delete/change it, and import. I mean if that's the only possible way for using the
aws:profile
config is to set it forever or manually edit it out of the stack I can just not use it at all, but it does seem like a bug if it never updates/touches that config after it's set