This message was deleted.
# general
s
This message was deleted.
b
Update:
<http://app.pulumi.com|app.pulumi.com>
seems to be back
b
Hey Nick, sorry for this experience. Can you try setting your access key and secret key inside pulumi config, to eliminate the env var reading as a potential problem? You should be able to do this using
pulumi config set aws:secretKey <key> --secret
You'll then be able to read this from config and pass it to the provider like so: https://www.pulumi.com/docs/intro/concepts/config/#code
b
No dramas at all appreciate the quick response, checking that solution now - is this something to do with transfer of aws creds to pulumi backend?
b
no, the pulumi backend doesn't even read your credentials. all it does it store state and metadata. what i suspect is that the portion of the code that reads your s3 bucket access is separate from the provider part, so it may have masked the original issue
b
Unfortunately this still didnt work here is a code snippet:
Copy code
const awsConfig = new pulumi.Config("aws");

  const provider = new aws.Provider(`account-provider`, {
    accessKey: awsConfig.require("accessKey"),
    secretKey: awsConfig.require("secretKey"),
    region: awsConfig.require("region") as aws.Region,
    assumeRole: {
      roleArn: pulumi.interpolate`arn:aws:iam::${accountId}:role/OrganizationAccountAccessRole`,
    },
  });
I can confirm that the accessKey and secretKey are for the root org account, which is able to assume
OrganizationAccountAccessRole
in child accounts ordinarily
Copy code
* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::288XXXXX577:role/OrganizationAccountAccessRole) cannot be assumed.
Pulumi.prod.yaml
Copy code
config:
  aws:accessKey:
    secure: AAABAIHDr2+XXXXXXXXXXXXXXXXXXX7MGy6X0Uy45v5CTEQyBXR8uVWODYvg==
  aws:region: us-east-1
  aws:secretKey:
    secure: AAABANatex3YxZzzjVXXXXXXXXXXXXXXXXXXXXXX3LFiuiBVGNQsALLhDnTWIRtsD1L10sRR7Dw0iKG2E/k7
b
can you show me the output of assuming the role manually via the aws cli, with sensitive data redacted?
b
Ok great hint - root account cant assume roles directly, only root users. And in the contrived use case to determine viability I went with the simplest option of just trying assume the role from directly from the account - 🤦‍♂️ a couple hours lost trying to do things the “easy way”: First output from `aws sts assume-role`:
Copy code
Error: root account cant assume roles
Solution create a user in root account with access keys then try again..
Also note - that the injection of envs was not the issue - reverting back to
process.env.AWS_ACCESS_KEY_ID
etc.. works as well