Hey pulumi and team, couple of things: 1. `<http...
# general
Hey pulumi and team, couple of things: 1.
is currently infinitely loading on chrome - tried clearing cookies, using incognito and safari still getting no page load 2. I’ve recently switched from storing stack state in my own s3 bucket to using the pulumi app under a new org a. Not sure if its related but on the new stack I’m unable use
to assume a role into another account. Just get
error. I’ve literally tried copying code from the other stack and its just not working. i. env vars are good ii. role to be assumed exists iii. access keys are trusted to assume the role iv. then I’ve tried multiple accounts and multiple roles 🙅 b. is there something different about how credentials are handled when the stack is hosted on app.pulumi.com vs own s3? c. issue here https://github.com/pulumi/pulumi/issues/7552 Context: I’m currently in the process of assessing pulumi for use with my team would love to get these first steps unblocked asap so can test k8s deployments across multiple accounts
seems to be back
Hey Nick, sorry for this experience. Can you try setting your access key and secret key inside pulumi config, to eliminate the env var reading as a potential problem? You should be able to do this using
pulumi config set aws:secretKey <key> --secret
You'll then be able to read this from config and pass it to the provider like so: https://www.pulumi.com/docs/intro/concepts/config/#code
No dramas at all appreciate the quick response, checking that solution now - is this something to do with transfer of aws creds to pulumi backend?
no, the pulumi backend doesn't even read your credentials. all it does it store state and metadata. what i suspect is that the portion of the code that reads your s3 bucket access is separate from the provider part, so it may have masked the original issue
Unfortunately this still didnt work here is a code snippet:
Copy code
const awsConfig = new pulumi.Config("aws");

  const provider = new aws.Provider(`account-provider`, {
    accessKey: awsConfig.require("accessKey"),
    secretKey: awsConfig.require("secretKey"),
    region: awsConfig.require("region") as aws.Region,
    assumeRole: {
      roleArn: pulumi.interpolate`arn:aws:iam::${accountId}:role/OrganizationAccountAccessRole`,
I can confirm that the accessKey and secretKey are for the root org account, which is able to assume
in child accounts ordinarily
Copy code
* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::288XXXXX577:role/OrganizationAccountAccessRole) cannot be assumed.
Copy code
  aws:region: us-east-1
can you show me the output of assuming the role manually via the aws cli, with sensitive data redacted?
Ok great hint - root account cant assume roles directly, only root users. And in the contrived use case to determine viability I went with the simplest option of just trying assume the role from directly from the account - 🤦‍♂️ a couple hours lost trying to do things the “easy way”: First output from `aws sts assume-role`:
Copy code
Error: root account cant assume roles
Solution create a user in root account with access keys then try again..
Also note - that the injection of envs was not the issue - reverting back to
etc.. works as well