This message was deleted.

Update:

<http://app.pulumi.com|app.pulumi.com>

seems to be back

Hey Nick, sorry for this experience. Can you try setting your access key and secret key inside pulumi config, to eliminate the env var reading as a potential problem? You should be able to do this using

pulumi config set aws:secretKey <key> --secret

You'll then be able to read this from config and pass it to the provider like so: https://www.pulumi.com/docs/intro/concepts/config/#code

No dramas at all appreciate the quick response, checking that solution now - is this something to do with transfer of aws creds to pulumi backend?

no, the pulumi backend doesn't even read your credentials. all it does it store state and metadata. what i suspect is that the portion of the code that reads your s3 bucket access is separate from the provider part, so it may have masked the original issue

Unfortunately this still didnt work here is a code snippet:

const awsConfig = new pulumi.Config("aws");

  const provider = new aws.Provider(`account-provider`, {
    accessKey: awsConfig.require("accessKey"),
    secretKey: awsConfig.require("secretKey"),
    region: awsConfig.require("region") as aws.Region,
    assumeRole: {
      roleArn: pulumi.interpolate`arn:aws:iam::${accountId}:role/OrganizationAccountAccessRole`,
    },
  });

can you show me the output of assuming the role manually via the aws cli, with sensitive data redacted?

Ok great hint - root account cant assume roles directly, only root users. And in the contrived use case to determine viability I went with the simplest option of just trying assume the role from directly from the account - 🤦‍♂️ a couple hours lost trying to do things the “easy way”: First output from `aws sts assume-role`:

Error: root account cant assume roles

Solution create a user in root account with access keys then try again.. ✅