https://pulumi.com logo
Join Slack
Powered by
Hello, I've got a followup problem to my above one...
# golang
s
Hello, I've got a followup problem to my above one (⬆️). I circumvented the dependency problem hard by disabling the broken provider, using the missing ARNs, and running the update, then activate them again. But, much worse, my problem still exists. Quite consitently Pulumi keeps telling me that the TF Provider cannot assume the configured role. I broke the code out of my base setup stack and moved it over into a new one .. no effect ..
Then I tried a different approach to narrow down the cause for the error and it broke in a different way 😢
Copy code
// The default provider
current, err := aws.GetCallerIdentity(ctx, nil, nil)
if err != nil {
	return err
}
fmt.Println(current.Arn)
This will return the AWS SSO Role, I login to,.
Copy code
// Second provider
		intermediateProvider, err := aws.NewProvider(ctx, "intermediateProvider", &aws.ProviderArgs{
			AssumeRole: &aws.ProviderAssumeRoleArgs{
				RoleArn:     pulumi.String(fmt.Sprintf("arn:aws:iam::%s:/roles/intermediateRole", current.AccountId)),
				SessionName: pulumi.String("intermediateProviderSession"),
			},
			Region: pulumi.String(region.Name),
		})
		if err != nil {
			return err
		}
And based upon this I again call aws.GetCallerIdentity()
Copy code
current, err = aws.GetCallerIdentity(ctx, nil, pulumi.Provider(intermediateProvider))
		if err != nil {
			return err
		}
		fmt.Println(current.Arn)
Then into the third one in a different AWS account, which gave me the headache before:
Copy code
peeringProvider, err := aws.NewProvider(ctx, fmt.Sprintf("peeringProvider-%s", peer.Name), &aws.ProviderArgs{
		AssumeRole: &aws.ProviderAssumeRoleArgs{
			RoleArn:     pulumi.String(fmt.Sprintf("arn:aws:iam::%s:role/%s", peer.AccountID, peer.AssumeRoleName)),
			SessionName: pulumi.String("PeeringProviderSession"),
		},
		Region: pulumi.String(region.Name),
	}, pulumi.Provider(provider),
	)
	if err != nil {
		fmt.Println(err)
	}

	current, err = aws.GetCallerIdentity(ctx, nil, pulumi.Provider(peeringProvider))
	if err != nil {
		return err
	}
	fmt.Println(current.Arn)
And guess what happens? This time I get the error message that my intermediate provider is the one breaking the run
b
if I'm understanding the problem correctly (which it's highly possible I'm not) - the expected flow is - your base role - assume role into the intermediate provider - then from the intermediate provider, assume role into the peering provider is that right?
s
Correct
The intermediate provider's role is only allowed to assume into the destination roles
b
in your peering provider, you do this:
Copy code
pulumi.Provider(provider),
I believe this should be:
Copy code
pulumi.Provider(intermediateProvider),
s
When copying the destination code I broke it out into it's own function
the function interface is provider *aws.Provider
But it is the intermediate one that gets stuffed into it
b
what error do you get?
s
Copy code
error: program failed: 1 error occurred:
    	* rpc error: code = Unknown desc = invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
    	* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::123456789012:/roles/intermediateRole) cannot be assumed.
    There are a number of possible causes of this - the most common are:
      * The credentials used in order to assume the role are invalid
      * The credentials do not have appropriate permission to assume the role
      * The role ARN is not valid
    Error: NoCredentialProviders: no valid providers in chain. Deprecated.
    	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
    exit status 1
My larger code base creates the intermediate provider in the main function and puts it into two different functions, one that does aws account peering and the other one does operate on our TransitGateway .. The TGW one is working with its destinationProvider whereas the Peering Code fails with its particular destination provider
b
it's really hard to help debug this unfortunately because your setup is so unique to you 😞 what I will say is, every time this comes up it's a misconfiguration - this is known to work and lots of people are doing it. The best I can do is suggest you go through each role permissions and provider config as best as possible
s
That is the funny part, we did the sts assume-role within the cli, permissions with the iam roles in use are correct
my SSO-Role is allowed to assume the intermediate and this worked before, whereas it now failes
How do I attach dlv debugger to a pulumi run? Do you have an idea how to achieve this?
But his approach is with C# 😉
b
i have personally never done it, but it should be the same as any other Go code
s
Hmm, I always do a pulumi up .. vs. go build -o my_binary && ./my_binary
b
pulumi up with go does a 
go run
in the background, you can build the binary and point to it in your 
Pulumi.yaml
see runtime.binary here: https://www.pulumi.com/docs/reference/pulumi-yaml/
s
Ahh, the Pulumi.yaml is the missing project I get?
Copy code
❯ ./peering
error: program failed: missing project name
b
what does your 
pulumi.yaml
look like?
s
Copy code
❯ cat Pulumi.yaml
name: infrastructure
runtime: go
description: VPC Peering
options:
  binary: peering
b
should be:
Copy code
runtime:
  name: go
  options:
    binary: peering
s
This will force pulumi to build the binary or use the before built peering binary?
Doing a pulumi up answers my question .. must be pre built
😉
For the reference, I found this issue that talks about options for debugging Pulumi go code: https://github.com/pulumi/pulumi/issues/1372
3 Views
Open in Slack
PreviousNext
Powered by