https://pulumi.com logo
Title
s

sticky-bear-14421

06/15/2021, 11:54 AM
Hello, I've got a followup problem to my above one (⬆️). I circumvented the dependency problem hard by disabling the broken provider, using the missing ARNs, and running the update, then activate them again. But, much worse, my problem still exists. Quite consitently Pulumi keeps telling me that the TF Provider cannot assume the configured role. I broke the code out of my base setup stack and moved it over into a new one .. no effect ..
Then I tried a different approach to narrow down the cause for the error and it broke in a different way 😢
// The default provider
current, err := aws.GetCallerIdentity(ctx, nil, nil)
if err != nil {
	return err
}
fmt.Println(current.Arn)
This will return the AWS SSO Role, I login to,.
// Second provider
		intermediateProvider, err := aws.NewProvider(ctx, "intermediateProvider", &aws.ProviderArgs{
			AssumeRole: &aws.ProviderAssumeRoleArgs{
				RoleArn:     pulumi.String(fmt.Sprintf("arn:aws:iam::%s:/roles/intermediateRole", current.AccountId)),
				SessionName: pulumi.String("intermediateProviderSession"),
			},
			Region: pulumi.String(region.Name),
		})
		if err != nil {
			return err
		}
And based upon this I again call aws.GetCallerIdentity()
current, err = aws.GetCallerIdentity(ctx, nil, pulumi.Provider(intermediateProvider))
		if err != nil {
			return err
		}
		fmt.Println(current.Arn)
Then into the third one in a different AWS account, which gave me the headache before:
peeringProvider, err := aws.NewProvider(ctx, fmt.Sprintf("peeringProvider-%s", peer.Name), &aws.ProviderArgs{
		AssumeRole: &aws.ProviderAssumeRoleArgs{
			RoleArn:     pulumi.String(fmt.Sprintf("arn:aws:iam::%s:role/%s", peer.AccountID, peer.AssumeRoleName)),
			SessionName: pulumi.String("PeeringProviderSession"),
		},
		Region: pulumi.String(region.Name),
	}, pulumi.Provider(provider),
	)
	if err != nil {
		fmt.Println(err)
	}

	current, err = aws.GetCallerIdentity(ctx, nil, pulumi.Provider(peeringProvider))
	if err != nil {
		return err
	}
	fmt.Println(current.Arn)
And guess what happens? This time I get the error message that my intermediate provider is the one breaking the run
b

billowy-army-68599

06/15/2021, 12:11 PM
if I'm understanding the problem correctly (which it's highly possible I'm not) - the expected flow is - your base role - assume role into the intermediate provider - then from the intermediate provider, assume role into the peering provider is that right?
s

sticky-bear-14421

06/15/2021, 12:12 PM
Correct
The intermediate provider's role is only allowed to assume into the destination roles
b

billowy-army-68599

06/15/2021, 12:13 PM
in your peering provider, you do this:
pulumi.Provider(provider),
I believe this should be:
pulumi.Provider(intermediateProvider),
s

sticky-bear-14421

06/15/2021, 12:14 PM
When copying the destination code I broke it out into it's own function
the function interface is provider *aws.Provider
But it is the intermediate one that gets stuffed into it
b

billowy-army-68599

06/15/2021, 12:15 PM
what error do you get?
s

sticky-bear-14421

06/15/2021, 12:16 PM
error: program failed: 1 error occurred:
    	* rpc error: code = Unknown desc = invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
    	* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::123456789012:/roles/intermediateRole) cannot be assumed.
    There are a number of possible causes of this - the most common are:
      * The credentials used in order to assume the role are invalid
      * The credentials do not have appropriate permission to assume the role
      * The role ARN is not valid
    Error: NoCredentialProviders: no valid providers in chain. Deprecated.
    	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
    exit status 1
My larger code base creates the intermediate provider in the main function and puts it into two different functions, one that does aws account peering and the other one does operate on our TransitGateway .. The TGW one is working with its destinationProvider whereas the Peering Code fails with its particular destination provider
b

billowy-army-68599

06/15/2021, 12:18 PM
it's really hard to help debug this unfortunately because your setup is so unique to you 😞 what I will say is, every time this comes up it's a misconfiguration - this is known to work and lots of people are doing it. The best I can do is suggest you go through each role permissions and provider config as best as possible
s

sticky-bear-14421

06/15/2021, 12:20 PM
That is the funny part, we did the sts assume-role within the cli, permissions with the iam roles in use are correct
my SSO-Role is allowed to assume the intermediate and this worked before, whereas it now failes
How do I attach dlv debugger to a pulumi run? Do you have an idea how to achieve this?
But his approach is with C# 😉
b

billowy-army-68599

06/15/2021, 12:23 PM
i have personally never done it, but it should be the same as any other Go code
s

sticky-bear-14421

06/15/2021, 12:25 PM
Hmm, I always do a pulumi up .. vs. go build -o my_binary && ./my_binary
b

billowy-army-68599

06/15/2021, 12:27 PM
pulumi up with go does a
go run
in the background, you can build the binary and point to it in your
Pulumi.yaml
see runtime.binary here: https://www.pulumi.com/docs/reference/pulumi-yaml/
s

sticky-bear-14421

06/15/2021, 12:28 PM
Ahh, the Pulumi.yaml is the missing project I get?
❯ ./peering
error: program failed: missing project name
b

billowy-army-68599

06/15/2021, 12:31 PM
what does your
pulumi.yaml
look like?
s

sticky-bear-14421

06/15/2021, 12:32 PM
❯ cat Pulumi.yaml
name: infrastructure
runtime: go
description: VPC Peering
options:
  binary: peering
b

billowy-army-68599

06/15/2021, 12:35 PM
should be:
runtime:
  name: go
  options:
    binary: peering
s

sticky-bear-14421

06/15/2021, 12:45 PM
This will force pulumi to build the binary or use the before built peering binary?
Doing a pulumi up answers my question .. must be pre built
😉
For the reference, I found this issue that talks about options for debugging Pulumi go code: https://github.com/pulumi/pulumi/issues/1372