https://pulumi.com logo
Title
b

billions-battery-73370

07/17/2021, 4:37 AM
Hey pulumi and team, couple of things: 1.
<http://app.pulumi.com|app.pulumi.com>
is currently infinitely loading on chrome - tried clearing cookies, using incognito and safari still getting no page load 2. I’ve recently switched from storing stack state in my own s3 bucket to using the pulumi app under a new org a. Not sure if its related but on the new stack I’m unable use
aws.Provider
to assume a role into another account. Just get
NoCredentialsProvider
error. I’ve literally tried copying code from the other stack and its just not working. i. env vars are good ii. role to be assumed exists iii. access keys are trusted to assume the role iv. then I’ve tried multiple accounts and multiple roles 🙅 b. is there something different about how credentials are handled when the stack is hosted on app.pulumi.com vs own s3? c. issue here https://github.com/pulumi/pulumi/issues/7552 Context: I’m currently in the process of assessing pulumi for use with my team would love to get these first steps unblocked asap so can test k8s deployments across multiple accounts
Update:
<http://app.pulumi.com|app.pulumi.com>
seems to be back
b

billowy-army-68599

07/17/2021, 4:48 AM
Hey Nick, sorry for this experience. Can you try setting your access key and secret key inside pulumi config, to eliminate the env var reading as a potential problem? You should be able to do this using
pulumi config set aws:secretKey <key> --secret
You'll then be able to read this from config and pass it to the provider like so: https://www.pulumi.com/docs/intro/concepts/config/#code
b

billions-battery-73370

07/17/2021, 4:50 AM
No dramas at all appreciate the quick response, checking that solution now - is this something to do with transfer of aws creds to pulumi backend?
b

billowy-army-68599

07/17/2021, 4:52 AM
no, the pulumi backend doesn't even read your credentials. all it does it store state and metadata. what i suspect is that the portion of the code that reads your s3 bucket access is separate from the provider part, so it may have masked the original issue
b

billions-battery-73370

07/17/2021, 5:01 AM
Unfortunately this still didnt work here is a code snippet:
const awsConfig = new pulumi.Config("aws");

  const provider = new aws.Provider(`account-provider`, {
    accessKey: awsConfig.require("accessKey"),
    secretKey: awsConfig.require("secretKey"),
    region: awsConfig.require("region") as aws.Region,
    assumeRole: {
      roleArn: pulumi.interpolate`arn:aws:iam::${accountId}:role/OrganizationAccountAccessRole`,
    },
  });
I can confirm that the accessKey and secretKey are for the root org account, which is able to assume
OrganizationAccountAccessRole
in child accounts ordinarily
* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::288XXXXX577:role/OrganizationAccountAccessRole) cannot be assumed.
Pulumi.prod.yaml
config:
  aws:accessKey:
    secure: AAABAIHDr2+XXXXXXXXXXXXXXXXXXX7MGy6X0Uy45v5CTEQyBXR8uVWODYvg==
  aws:region: us-east-1
  aws:secretKey:
    secure: AAABANatex3YxZzzjVXXXXXXXXXXXXXXXXXXXXXX3LFiuiBVGNQsALLhDnTWIRtsD1L10sRR7Dw0iKG2E/k7
b

billowy-army-68599

07/17/2021, 5:06 AM
can you show me the output of assuming the role manually via the aws cli, with sensitive data redacted?
b

billions-battery-73370

07/17/2021, 5:20 AM
Ok great hint - root account cant assume roles directly, only root users. And in the contrived use case to determine viability I went with the simplest option of just trying assume the role from directly from the account - 🤦‍♂️ a couple hours lost trying to do things the “easy way”: First output from `aws sts assume-role`:
Error: root account cant assume roles
Solution create a user in root account with access keys then try again..
Also note - that the injection of envs was not the issue - reverting back to
process.env.AWS_ACCESS_KEY_ID
etc.. works as well