full-dress-10026
11/10/2021, 11:06 PMconst provider = new aws.Provider(`${acctName}-provider`, {
region: "us-west-2",
assumeRole: {
roleArn: pulumi.interpolate`arn:aws:iam::${args.id}:role/${args.roleName}`
}
});
I later create a resource by passing the provider as the 3rd arg to the resource {provider: provider}
. After running pulumi up
, I receive the following message:
aws:iam:Role (access):
error: 1 error occurred:
* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<<account id>>:role/<<role name>>) cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Error: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
How can I go about further debugging this?pulumi up
and it worked! I've already set aws:profile
in my config so it seems odd that I'd also need to set the env var...little-cartoon-10569
11/10/2021, 11:23 PMfull-dress-10026
11/10/2021, 11:25 PMlittle-cartoon-10569
11/10/2021, 11:26 PMfull-dress-10026
11/10/2021, 11:26 PMlittle-cartoon-10569
11/10/2021, 11:27 PMfull-dress-10026
11/10/2021, 11:28 PMlittle-cartoon-10569
11/10/2021, 11:29 PMnew pulumi.Config("aws").require("profile")
to the profile of any AWS provider you create.full-dress-10026
11/10/2021, 11:34 PMfunction getDefaultProfileProvider() {
const profile = new pulumi.Config("aws").require("profile")
console.log(profile)
return new aws.Provider("aws-default-profile", {
profile: profile
})
}
to my role aws.Provider.little-cartoon-10569
11/10/2021, 11:36 PMfull-dress-10026
11/10/2021, 11:37 PMAWS_PROFILE=profile-with-access pulumi up
little-cartoon-10569
11/10/2021, 11:42 PMfull-dress-10026
11/10/2021, 11:42 PMlittle-cartoon-10569
11/10/2021, 11:42 PMfull-dress-10026
11/10/2021, 11:42 PMconfig:
aws:region: us-west-2
aws:profile: profile-with-access
pulumi up
with AWS_PROFILE set.little-cartoon-10569
11/10/2021, 11:45 PMfull-dress-10026
11/10/2021, 11:48 PMlittle-cartoon-10569
11/10/2021, 11:49 PMgetDefaultProfileProvider()
can help you pass the profile into the new provider?full-dress-10026
11/10/2021, 11:51 PMlittle-cartoon-10569
11/10/2021, 11:51 PMconst provider = new aws.Provider(`${acctName}-provider`, {
region: "us-west-2",
assumeRole: {
roleArn: pulumi.interpolate`arn:aws:iam::${args.id}:role/${args.roleName}`
}
});
You would need this code instead:
const provider = new aws.Provider(`${acctName}-provider`, {
region: "us-west-2",
profile: profile,
assumeRole: {
roleArn: pulumi.interpolate`arn:aws:iam::${args.id}:role/${args.roleName}`
}
});
full-dress-10026
11/10/2021, 11:52 PMfreezing-van-87649
11/10/2021, 11:54 PMlittle-cartoon-10569
11/10/2021, 11:54 PMrole_arn
unless you also provide source_profile
aws_access_key_id
and aws_secret_access_key
)full-dress-10026
11/10/2021, 11:55 PM