https://pulumi.com logo
Title
v

victorious-wall-1075

02/17/2022, 4:04 AM
TL; DR: Is “pulumi login” mandatory step before using automation API. Is there a way to specify the login details into the automation API? I am trying to run pulumi in automation mode (without having ~/.pulumi/credentials). I am configuring the projectSettings this way:
self.projectSettings = auto.ProjectSettings(
            name=projectName,
            runtime="python",
            backend={"url": f"<s3://pulumi?region=us-east-1&endpoint={epUrl}&disableSSL=true&s3ForcePathStyle=true>"}
        )
When I run my code - I see this:
>           raise Exception(err)
E           Exception: Error Deploying HELM -
E            code: 255
E            stdout:
E            stderr: Logging in using access token from PULUMI_ACCESS_TOKEN
E           error: invalid access token

IACLib/src/pulumi_iac/platforms/kubernetes/__init__.py:145: Exception
What am I missing here that pulumi is asking for PULUMI_ACCESS_TOKEN ? If I do pulumi login (and it produces the credentials file), things work fine.
➜ cat ~/.pulumi/credentials.json
{
    "current": "<s3://pulumi?region=us-east-1>\u0026endpoint=192.168.31.2:54640\u0026disableSSL=true\u0026s3ForcePathStyle=true",
    "accessTokens": {
        "<s3://pulumi?region=us-east-1>\u0026endpoint=192.168.31.2:54640\u0026disableSSL=true\u0026s3ForcePathStyle=true": ""
    },
    "accounts": {
        "<s3://pulumi?region=us-east-1>\u0026endpoint=192.168.31.2:54640\u0026disableSSL=true\u0026s3ForcePathStyle=true": {
            "lastValidatedAt": "0001-01-01T00:00:00Z"
        }
    }
}%

and I have to set these exports:

export AWS_ACCESS_KEY_ID=miniouser
export AWS_SECRET_ACCESS_KEY=miniopasswd
export AWS_PROFILE=minio
I want to know how to pass the credentials via automation without having this file..
Hello team - Any insights into this?
b

bland-continent-32037

02/18/2022, 5:30 PM
Running
pulumi login
generates an access token. You can also generate an access token from the Pulumi console, under the Settings for that account. Then set it as an environment variable called
PULUMI_ACCESS_TOKEN
c

curved-quill-94238

02/22/2022, 3:42 PM
no, you don't have to run
login
or set an access token. If you are using AWS KMS to encrypt secrets and an AWS S3 bucket to store state, I got this to work
secrets_provider = f"awskms://{kms_key_id}"
    <http://logger.info|logger.info>(f"Stack is: {fully_qualified_stack_name}")
    project_runtime_info = ProjectRuntimeInfo(  # Eli (2/11/21) - I have no idea what this does or if it is necessary
        name="python", options={"virtualenv": "venv"}
    )
    backend_url = f"s3://{backend_bucket}/REDACTED/{GITLAB_WORKLOAD_NAME}/{GITLAB_PROJECT_NAME}"

    project_backend = ProjectBackend(url=backend_url)
    project_settings = ProjectSettings(
        name=project_name, runtime=project_runtime_info, backend=project_backend
    )
    stack_settings = StackSettings(
        secrets_provider=secrets_provider,
        config=stack_config,
    )
    workspace_options = LocalWorkspaceOptions(
        secrets_provider=secrets_provider,  # Eli (2/11/22): since secrets_provider is already given in the ProjectSettings, I don't know if it's needed in both places or if just one spot would be better. Unclear at the moment
        project_settings=project_settings,
        stack_settings={stack_name: stack_settings},
    )

    stack = create_or_select_stack(
        stack_name,
        project_name=project_name,
        program=pulumi_program,
        opts=workspace_options,
    )