This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

11/10/2021, 11:06 PM

This message was deleted.

full-dress-10026

11/10/2021, 11:14 PM

I'd really like to see some sort of logs from the AWS sts API call. I've tried looking through the -v=9 logs and cannot find anything.

full-dress-10026

11/10/2021, 11:20 PM

AH. I set AWS_PROFILE when running

pulumi up

and it worked! I've already set

aws:profile

in my config so it seems odd that I'd also need to set the env var...

little-cartoon-10569

11/10/2021, 11:23 PM

Are you using the AWS backend? That uses only your env vars. The config is only for providers.

full-dress-10026

11/10/2021, 11:25 PM

What does "AWS backend" mean in this context?

little-cartoon-10569

11/10/2021, 11:26 PM

Where is your state file being stored? Have you defined the "backend" property in your Pulumi.yaml?

full-dress-10026

11/10/2021, 11:26 PM

Pulumi is managing it.

full-dress-10026

11/10/2021, 11:26 PM

So no, I have not specified anything special with the state file.

little-cartoon-10569

11/10/2021, 11:27 PM

Ah. Then aws:profile should be the only thing you need.. at a guess, a new AWS provider isn't using the config that the default provider uses?

full-dress-10026

11/10/2021, 11:28 PM

Plausible. My default provider will not have access to assume the role. Only the profile provider specified in my pulumi config aws:profile key would have access.

little-cartoon-10569

11/10/2021, 11:29 PM

I've checked my code, and I note that I always explicitly pass a value for profile when I'm created a new AWS provider. So I haven't encountered this situation.

little-cartoon-10569

11/10/2021, 11:30 PM

I recommend explicitly passing

new pulumi.Config("aws").require("profile")

to the profile of any AWS provider you create.

little-cartoon-10569

11/10/2021, 11:30 PM

At least for providers using the default profile.

full-dress-10026

11/10/2021, 11:34 PM

Just tried it out -- same error.

full-dress-10026

11/10/2021, 11:35 PM

I pass the result of this:

Copy code

function getDefaultProfileProvider() {
    const profile = new pulumi.Config("aws").require("profile")
    console.log(profile)
    return new aws.Provider("aws-default-profile", {
        profile: profile
    })
}

to my role aws.Provider.

little-cartoon-10569

11/10/2021, 11:36 PM

Does the profile specify a region? If not, can you add one there? And have you confirmed that the profile is allowed assume that role?

full-dress-10026

11/10/2021, 11:37 PM

The profile does specify a region & it does have access. Running pulumi up with the env var set works. e.g.,

Copy code

AWS_PROFILE=profile-with-access pulumi up

little-cartoon-10569

11/10/2021, 11:42 PM

So you're setting aws:profile in your Pulumi.x.yml file and it's not being picked up?

full-dress-10026

11/10/2021, 11:42 PM

Correct

little-cartoon-10569

11/10/2021, 11:42 PM

Maybe the format of the line is wrong? Can you paste it here?

full-dress-10026

11/10/2021, 11:42 PM

It is only not being picked up for new new provider creation. Other top-level resources do pick it up.

full-dress-10026

11/10/2021, 11:43 PM

Copy code

config:
  aws:region: us-west-2
  aws:profile: profile-with-access

full-dress-10026

11/10/2021, 11:44 PM

To be clear: I create many other resources with the default aws provider. At some point, I construct a new provider (as seen in the OP). That call fails unless I run

pulumi up

with AWS_PROFILE set.

little-cartoon-10569

11/10/2021, 11:45 PM

I've reread thread. It looks like currently you're passing profile only into the default provider. The non-working provider doesn't have a profile set.

little-cartoon-10569

11/10/2021, 11:46 PM

Is that correct?

full-dress-10026

11/10/2021, 11:48 PM

Yes. The non-working provider should use the default provider to assume the role specified in assumeRole. I did try as you suggested to explicitly pass a provider to the non-working provider (using the getDefaultProfileProvider fn) and that resulted in the same error.

little-cartoon-10569

11/10/2021, 11:49 PM

I think the profile is required. I don't see how

getDefaultProfileProvider()

can help you pass the profile into the new provider?

little-cartoon-10569

11/10/2021, 11:50 PM

Since the profile is a local variable within the function..

full-dress-10026

11/10/2021, 11:51 PM

Could you clarify what "I think the profile is required" means?

little-cartoon-10569

11/10/2021, 11:51 PM

You posted this code which I believe won't work:

Copy code

const provider = new aws.Provider(`${acctName}-provider`, {
    region: "us-west-2",
    assumeRole: {
        roleArn: pulumi.interpolate`arn:aws:iam::${args.id}:role/${args.roleName}`
    }
});

You would need this code instead:

Copy code

const provider = new aws.Provider(`${acctName}-provider`, {
    region: "us-west-2",
    profile: profile,
    assumeRole: {
        roleArn: pulumi.interpolate`arn:aws:iam::${args.id}:role/${args.roleName}`
    }
});

full-dress-10026

11/10/2021, 11:52 PM

Hmm, that seems surprising. I interpreted the Provider args as the definition for the "target" aws account. The "source" being the provider passed to the Provider.

full-dress-10026

11/10/2021, 11:53 PM

I will try it.

freezing-van-87649

11/10/2021, 11:54 PM

Yeah, the profile you set in config.yank is only used as config for the default provider, I don’t think pulumi knows to use it for custom providers

little-cartoon-10569

11/10/2021, 11:54 PM

Consider the equivalent in the AWS credentials file. You cannot assume a role via

role_arn

unless you also provide

source_profile

little-cartoon-10569

11/10/2021, 11:55 PM

(Or explicit

aws_access_key_id

and

aws_secret_access_key

)

full-dress-10026

11/10/2021, 11:55 PM

Yep, that did it! Thank you for your patience @little-cartoon-10569.

👍 1

178 Views

Open in Slack

Previous Next