Hey pulumi and team, couple of things: 1.

<http://app.pulumi.com|app.pulumi.com>

is currently infinitely loading on chrome - tried clearing cookies, using incognito and safari still getting no page load 2. I’ve recently switched from storing stack state in my own s3 bucket to using the pulumi app under a new org a. Not sure if its related but on the new stack I’m unable use

aws.Provider

to assume a role into another account. Just get

NoCredentialsProvider

error. I’ve literally tried copying code from the other stack and its just not working. i. env vars are good ✅ ii. role to be assumed exists ✅ iii. access keys are trusted to assume the role ✅ iv. then I’ve tried multiple accounts and multiple roles 🙅 b. is there something different about how credentials are handled when the stack is hosted on app.pulumi.com vs own s3? c. issue here https://github.com/pulumi/pulumi/issues/7552 Context: I’m currently in the process of assessing pulumi for use with my team would love to get these first steps unblocked asap so can test k8s deployments across multiple accounts

Hey Nick, sorry for this experience. Can you try setting your access key and secret key inside pulumi config, to eliminate the env var reading as a potential problem? You should be able to do this using

pulumi config set aws:secretKey <key> --secret

You'll then be able to read this from config and pass it to the provider like so: https://www.pulumi.com/docs/intro/concepts/config/#code

No dramas at all appreciate the quick response, checking that solution now - is this something to do with transfer of aws creds to pulumi backend?

no, the pulumi backend doesn't even read your credentials. all it does it store state and metadata. what i suspect is that the portion of the code that reads your s3 bucket access is separate from the provider part, so it may have masked the original issue

Unfortunately this still didnt work here is a code snippet:

const awsConfig = new pulumi.Config("aws");

  const provider = new aws.Provider(`account-provider`, {
    accessKey: awsConfig.require("accessKey"),
    secretKey: awsConfig.require("secretKey"),
    region: awsConfig.require("region") as aws.Region,
    assumeRole: {
      roleArn: pulumi.interpolate`arn:aws:iam::${accountId}:role/OrganizationAccountAccessRole`,
    },
  });

can you show me the output of assuming the role manually via the aws cli, with sensitive data redacted?

Ok great hint - root account cant assume roles directly, only root users. And in the contrived use case to determine viability I went with the simplest option of just trying assume the role from directly from the account - 🤦‍♂️ a couple hours lost trying to do things the “easy way”: First output from `aws sts assume-role`:

Error: root account cant assume roles

Solution create a user in root account with access keys then try again.. ✅