https://pulumi.com logo
Join Slack
Powered by
We’re hitting a behavior that I wasn’t sure is exp...
# aws
b
We’re hitting a behavior that I wasn’t sure is expected or not. We use the AWS provider with assume-role, like this:
Copy code
awsProvider, err := aws.NewProvider(ctx, "aws-provider", &aws.ProviderArgs{
		AssumeRole: &aws.ProviderAssumeRoleArgs{
			RoleArn:     awsAssumeRoleArn,
			SessionName: pulumi.Sprintf("%s-tenant-%s", awsAssumeRoleSessionName, tenant.name),
		},
		SkipMetadataApiCheck: pulumi.Bool(false),
	})
When the session name is longer than 64 characters (which is invalid for the AWS API), the error we get from Pulumi is:
Copy code
error: an unhandled error occurred: 1 error occurred:
    	* rpc error: code = Unknown desc = invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
    	* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::xxxxxxx:role/CI) cannot be assumed.
    
    There are a number of possible causes of this - the most common are:
      * The credentials used in order to assume the role are invalid
      * The credentials do not have appropriate permission to assume the role
      * The role ARN is not valid
    
    Error: NoCredentialProviders: no valid providers in chain. Deprecated.
    	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
If I run this manually via the AWS CLI, I get a proper error:
Copy code
> aws sts assume-role --role-arn arn:aws:iam::xxxxxxx:role/CI --role-session-name abcd-xvy-asdjh-adfdfsdfsdfdfdfAda-sdfhsfbhbdfjsdjjajdadasdsadada-asdhajdhjashdjhajfhjahf

An error occurred (ValidationError) when calling the AssumeRole operation: 1 validation error detected: Value 'abcd-xvy-asdjh-adfdfsdfsdfdfdfAda-sdfhsfbhbdfjsdjjajdadasdsadada-asdhajdhjashdjhajfhjahf' at 'roleSessionName' failed to satisfy constraint: Member must have length less than or equal to 64
Is this a Terraform issue that we don’t get a proper error, or is this fixable? This led us down a wild goose chase on whether our pod IAM role was wrong so we couldn’t assume, etc, but we eventually narrowed it down to the length. We’ll fix that issue on our end, but it would be nice if this returned a better error.
OK, turns out this was an old version of the AWS plugin. 4.37.1 returns a more sane error:
Copy code
error: program failed: 1 error occurred:
    	* rpc error: code = Unknown desc = invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: could not validate provider configuration: 1 error occurred:
    	* expected length of assume_role.0.session_name to be in the range (2 - 64), got xyyyy...zzzzz
    exit status 1
👍 1
160 Views
Open in Slack
PreviousNext
Powered by