Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
s
sticky-bear-14421
06/15/2021, 11:54 AMHello, I've got a followup problem to my above one (⬆️). I circumvented the dependency problem hard by disabling the broken provider, using the missing ARNs, and running the update, then activate them again. But, much worse, my problem still exists. Quite consitently Pulumi keeps telling me that the TF Provider cannot assume the configured role.
I broke the code out of my base setup stack and moved it over into a new one .. no effect ..
Then I tried a different approach to narrow down the cause for the error and it broke in a different way 😢
// The default provider
current, err := aws.GetCallerIdentity(ctx, nil, nil)
if err != nil {
return err
}
fmt.Println(current.Arn)// Second provider
intermediateProvider, err := aws.NewProvider(ctx, "intermediateProvider", &aws.ProviderArgs{
AssumeRole: &aws.ProviderAssumeRoleArgs{
RoleArn: pulumi.String(fmt.Sprintf("arn:aws:iam::%s:/roles/intermediateRole", current.AccountId)),
SessionName: pulumi.String("intermediateProviderSession"),
},
Region: pulumi.String(region.Name),
})
if err != nil {
return err
}current, err = aws.GetCallerIdentity(ctx, nil, pulumi.Provider(intermediateProvider))
if err != nil {
return err
}
fmt.Println(current.Arn)Then into the third one in a different AWS account, which gave me the headache before:
peeringProvider, err := aws.NewProvider(ctx, fmt.Sprintf("peeringProvider-%s", peer.Name), &aws.ProviderArgs{
AssumeRole: &aws.ProviderAssumeRoleArgs{
RoleArn: pulumi.String(fmt.Sprintf("arn:aws:iam::%s:role/%s", peer.AccountID, peer.AssumeRoleName)),
SessionName: pulumi.String("PeeringProviderSession"),
},
Region: pulumi.String(region.Name),
}, pulumi.Provider(provider),
)
if err != nil {
fmt.Println(err)
}
current, err = aws.GetCallerIdentity(ctx, nil, pulumi.Provider(peeringProvider))
if err != nil {
return err
}
fmt.Println(current.Arn)And guess what happens? This time I get the error message that my intermediate provider is the one breaking the run
b
billowy-army-68599
06/15/2021, 12:11 PMif I'm understanding the problem correctly (which it's highly possible I'm not) - the expected flow is
- your base role
- assume role into the intermediate provider
- then from the intermediate provider, assume role into the peering provider
is that right?
s
sticky-bear-14421
06/15/2021, 12:12 PMCorrect
The intermediate provider's role is only allowed to assume into the destination roles
b
billowy-army-68599
06/15/2021, 12:13 PMin your peering provider, you do this:
pulumi.Provider(provider),pulumi.Provider(intermediateProvider),s
sticky-bear-14421
06/15/2021, 12:14 PMWhen copying the destination code I broke it out into it's own function
the function interface is provider *aws.Provider
But it is the intermediate one that gets stuffed into it
b
billowy-army-68599
06/15/2021, 12:15 PMwhat error do you get?
s
sticky-bear-14421
06/15/2021, 12:16 PMerror: program failed: 1 error occurred:
* rpc error: code = Unknown desc = invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::123456789012:/roles/intermediateRole) cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Error: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
exit status 1My larger code base creates the intermediate provider in the main function and puts it into two different functions, one that does aws account peering and the other one does operate on our TransitGateway ..
The TGW one is working with its destinationProvider whereas the Peering Code fails with its particular destination provider
b
billowy-army-68599
06/15/2021, 12:18 PMit's really hard to help debug this unfortunately because your setup is so unique to you 😞 what I will say is, every time this comes up it's a misconfiguration - this is known to work and lots of people are doing it. The best I can do is suggest you go through each role permissions and provider config as best as possible
s
sticky-bear-14421
06/15/2021, 12:20 PMThat is the funny part, we did the sts assume-role within the cli, permissions with the iam roles in use are correct
my SSO-Role is allowed to assume the intermediate and this worked before, whereas it now failes
How do I attach dlv debugger to a pulumi run? Do you have an idea how to achieve this?
I found this nice article:
https://samcogan.com/debugging-pulumi-code-in-visual-studio/
But his approach is with C# 😉
b
billowy-army-68599
06/15/2021, 12:23 PMi have personally never done it, but it should be the same as any other Go code
s
sticky-bear-14421
06/15/2021, 12:25 PMHmm, I always do a pulumi up .. vs. go build -o my_binary && ./my_binary
b
billowy-army-68599
06/15/2021, 12:27 PMpulumi up with go does a
go runPulumi.yamls
sticky-bear-14421
06/15/2021, 12:28 PMAhh, the Pulumi.yaml is the missing project I get?
❯ ./peering
error: program failed: missing project nameb
billowy-army-68599
06/15/2021, 12:31 PMwhat does your
pulumi.yamls
sticky-bear-14421
06/15/2021, 12:32 PM❯ cat Pulumi.yaml
name: infrastructure
runtime: go
description: VPC Peering
options:
binary: peeringb
billowy-army-68599
06/15/2021, 12:35 PMshould be:
runtime:
name: go
options:
binary: peerings
sticky-bear-14421
06/15/2021, 12:45 PMThis will force pulumi to build the binary or use the before built peering binary?
Doing a pulumi up answers my question .. must be pre built
😉
For the reference, I found this issue that talks about options for debugging Pulumi go code:
https://github.com/pulumi/pulumi/issues/1372