shy-waiter-84958
05/25/2021, 4:10 PMpulumi:providers:aws
in the stack state (aside from export, delete, import). If you remove (below) the AWS profile config pulumi config rm aws:profile
it seems to persist in state regardless of what I try unless manually deleted
config:
aws:profile: someProfile
I'm trying to keep it simple for devs so they don't have to switch between roles (we have several accounts) for each local deploy/testing, but in our automated pipeline we're running pulumi config rm aws:profile
before pulumi up --non-interactive -y
as we have instances in each specific account with a IAM Profile attached to provide the needed credentials to run the pulumi updates.
But it's keeping that config in the state (tried a pulumi refresh
) but keep getting error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
on any refresh/up attempts on any machine that doesn't have the previously set AWS profile configured locallybillowy-army-68599
05/25/2021, 4:59 PMAWS_PROFILE
env var instead of configuring it via the configshy-waiter-84958
05/25/2021, 5:18 PMAWS_PROFILE
kind of defeats what I was trying to achieve (unless you mean set it in code instead of via the stack config yaml), hopefully this makes what I'm attempting easier to read
• We have multiple accounts and multiple access levels in each account. (e.g. Account/Admin, Account/Engineer, etc...)
• We already use a tool called saml2aws for temp credentials in managing these multiple roles and running AWS commands (e.g. saml2aws exec --exec-profile Account/Admin -- pulumi up
)
• Using the pulumi config aws:profile Account/Admin
for example, means when doing local testing across mutliple projects we only have to run pulumi up
in each project without having to identify which account/role it belongs to
The issue is, it seems once you use the pulumi config aws:profile Account/Admin
it stays that way. If you remove it and run refresh/update and pass the creds another way, it stays set at that way. The only way I have managed to change or remove that setting after it makes it to the state file is to export, delete/change it, and import.
I mean if that's the only possible way for using the aws:profile
config is to set it forever or manually edit it out of the stack I can just not use it at all, but it does seem like a bug if it never updates/touches that config after it's set