Hello. I am trying to create an AWS provider for a different AWS account than the one the Pulumi program is launched with. I do so like this:

const provider = new aws.Provider(`${acctName}-provider`, {
    region: "us-west-2",
    assumeRole: {
        roleArn: pulumi.interpolate`arn:aws:iam::${args.id}:role/${args.roleName}`
    }
});

I later create a resource by passing the provider as the 3rd arg to the resource

{provider: provider}

. After running

pulumi up

, I receive the following message:

aws:iam:Role (access):
    error: 1 error occurred:
    	* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<<account id>>:role/<<role name>>) cannot be assumed.
    
    There are a number of possible causes of this - the most common are:
      * The credentials used in order to assume the role are invalid
      * The credentials do not have appropriate permission to assume the role
      * The role ARN is not valid
    
    Error: NoCredentialProviders: no valid providers in chain. Deprecated.
    	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

How can I go about further debugging this?

Are you using the AWS backend? That uses only your env vars. The config is only for providers.

What does "AWS backend" mean in this context?

Where is your state file being stored? Have you defined the "backend" property in your Pulumi.yaml?

Pulumi is managing it.

Ah. Then aws:profile should be the only thing you need.. at a guess, a new AWS provider isn't using the config that the default provider uses?

Plausible. My default provider will not have access to assume the role. Only the profile provider specified in my pulumi config aws:profile key would have access.

I've checked my code, and I note that I always explicitly pass a value for profile when I'm created a new AWS provider. So I haven't encountered this situation.

Just tried it out -- same error.

Does the profile specify a region? If not, can you add one there? And have you confirmed that the profile is allowed assume that role?

The profile does specify a region & it does have access. Running pulumi up with the env var set works. e.g.,

AWS_PROFILE=profile-with-access pulumi up

So you're setting aws:profile in your Pulumi.x.yml file and it's not being picked up?

Correct

Maybe the format of the line is wrong? Can you paste it here?

It is only not being picked up for new new provider creation. Other top-level resources do pick it up.

I've reread thread. It looks like currently you're passing profile only into the default provider. The non-working provider doesn't have a profile set.

Yes. The non-working provider should use the default provider to assume the role specified in assumeRole. I did try as you suggested to explicitly pass a provider to the non-working provider (using the getDefaultProfileProvider fn) and that resulted in the same error.

I think the profile is required. I don't see how

getDefaultProfileProvider()

can help you pass the profile into the new provider?

Could you clarify what "I think the profile is required" means?

You posted this code which I believe won't work:

const provider = new aws.Provider(`${acctName}-provider`, {
    region: "us-west-2",
    assumeRole: {
        roleArn: pulumi.interpolate`arn:aws:iam::${args.id}:role/${args.roleName}`
    }
});

You would need this code instead:

const provider = new aws.Provider(`${acctName}-provider`, {
    region: "us-west-2",
    profile: profile,
    assumeRole: {
        roleArn: pulumi.interpolate`arn:aws:iam::${args.id}:role/${args.roleName}`
    }
});

Hmm, that seems surprising. I interpreted the Provider args as the definition for the "target" aws account. The "source" being the provider passed to the Provider.

Yeah, the profile you set in config.yank is only used as config for the default provider, I don’t think pulumi knows to use it for custom providers

Consider the equivalent in the AWS credentials file. You cannot assume a role via

role_arn

unless you also provide

source_profile

Yep, that did it! Thank you for your patience @little-cartoon-10569.