This message was deleted.
# general
s
This message was deleted.
b
hey, sorry for the delay.
The providers you pass to the resources and the awskms auth are handled differently. You can set the
aws:profile
configuration key using
pulumi config set aws:profile
and that becomes the default for all resources. You could then use
AWS_PROFILE
as an env var for the aws_kms
b
I set aws:region to invalid, its a workaround to create explicit providers. Then have a context manager (using in .net) to switch assume roles. Also use automation api so secrets provider is set and access keys are in the stack but encrypted.
ported form the C# version, haven't tested it much yet
g
Okay cool… so that use case may work for us. I’ll have to test it out, but I think last time I tried it, it tried to use the same role i defined in $AWS_PROFILE and the rest of the aws providers [default one, not a reinstantiated custom one as Derek showed] attmpted to use that profile instead of the one set by
aws:profile
. It’s possible I had hit a bug, so I could give it another try. Thanks!
b
This is the GitHub link for the ‘invalid’ workaround https://github.com/pulumi/pulumi/issues/3383
g
Confirmed that I am able to set
aws:profile
to use the default aws provider’s aws profile, and set
$AWS_PROFILE
in the environment prior to invoking pulumi with a different profile that has actual access to the CMK. 👍 Thanks @billowy-army-68599. Perhaps a suggestion is a variable like
aws:kms_profile
in the stack would be handy, so that users of the stack do not have to remember to always set that KMS/CMK profile for decrypting the stack contents? not sure if that’s on the roadmap…
Ideally we should just move to not relying on the default provider, but that still doesn’t make it easy for one to use the awscmk decrypt without remembering to set a profile. It’s not the worst thing, but would help with the out-of-the-box experience
We currently isolate 90% of our stacks by AWS account [isolation] so rarely have to call in a second provider, thus, the default provider is sufficient for our needs.