hello all, I'm now running into an issue where my AWS credentials are not being picked up from one stack, but running fine on another. I'm using a multi-profile configuration following the docs. Everything was running fine yesterday, but now for some reason one of my stacks says

unable to discover AWS AccessKeyID and/or SecretAccessKey

. Anyone else encountering this?

i don't believe we've changed anything. Can you elaborate a little more on how you're running things?

Hi @billowy-army-68599, sure. I setup my AWS config and credentials in my

.aws

folder

config

file:

[profile michael]
region = eu-west-1

credentials

file:

[michael]
aws_access_key_id = ###
aws_secret_access_key = ###

In my Pulumi folder, I have two stacks, a

dev

stack and a

prod

stack. Both my

Pulumi.dev.yaml

and

Pulumi.prod.yaml

files are identical:

config:
  aws:profile: michael
  aws:region: eu-west-1

Running

pulumi up -s dev

runs fine, but running

pulumi up -s prod

gives me the

unable to discover AWS AccessKeyID and/or SecretAccessKey

error

what does

aws sts get-caller-identity

return?

what does 

aws sts get-caller-identity

 return?

I get 55###96 arnawsiam::55###96:user/michael.truong AI###SD

and it still throws you the creds error?

yeah, I still get the creds error

if you export the prod stack, does it have any other profile in there?

There only seems to be one profile in both stacks. But interestingly, in the

dev

stack, the profile and region are set in the AWS provider for both inputs and outputs, but in

prod

they aren't

dev

stack (excerpt):

{
                "urn": "urn:pulumi:dev::app::pulumi:providers:aws::default_4_25_0",
                "custom": true,
                "id": "###",
                "type": "pulumi:providers:aws",
                "inputs": {
                    "profile": "michael",
                    "region": "eu-west-1",
                    "version": "4.25.0"
                },
                "outputs": {
                    "profile": "michael",
                    "region": "eu-west-1",
                    "version": "4.25.0"
                }
            },

prod

stack (excerpt):

{
                "urn": "urn:pulumi:prod::app::pulumi:providers:aws::default_4_25_0",
                "custom": true,
                "id": "###",
                "type": "pulumi:providers:aws",
                "inputs": {
                    "version": "4.25.0"
                },
                "outputs": {
                    "version": "4.25.0"
                }
            },

seems to be only one profile in both stacks, but interestingly, in the

that would indicate the first run happened without that config set, you'll need to run an

up

with a valid profile set to fix it

but that's the issue, the

pulumi up -s dev

works fine but

pulumi up -s prod

complains, even though they both reference the same (valid) profile

right, but do you have the profile set locally so that it works?

I'm 100% sure it should work as

pulumi up -s dev

works just fine and it points to the same profile

okay, but that's actually been put into state. if your

up

isn't working yet, you'll need to have valid credentials

credentials are valid - the issue seems to be that I can set the aws:profile in the state

i'm not sure how else to help at this point. You need to: • remove the configuration from your config file • ensure you have valid credentials by doing

aws sts get-caller-identity

and then ensure you can perform AWS operations like

aws s3 ls

from your current profile • run a successful

pulumi up

• then readd the

aws:profile

config setting also make sure you don't have any explicit providers on your resources

cool. I'll follow those steps and try a few other things. Thanks for your help