Thread
#aws
    c

    cool-glass-63014

    7 months ago
    For some reason I can't update my AWS stack at the moment as I just keep getting:
    aws:ecs:Service (backend):
      error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration
    even though I have several profiles, and for the stack I have the proper AWS profile configured in the yaml file. And it seems like it can build and push the docker image but it cannot edit the Fargate task definition or something? I am not savvy with either AWS or Pulumi and this is something I've inherited, but I can't wrap my head around this. I also followed the linked and repeated the setup and yet nothing. EDIT: I can't seem to restore the state of whatever it is I've managed to bork up at all? I haven't changed any credentials or keys to begin with so this feels like such a weird curve ball? 🤔 Any ideas?
    l

    little-cartoon-10569

    7 months ago
    Since this is a backend issue, it won't be using profiles passed to your Pulumi command, it will be using the default profile only. You need to set
    AWS_PROFILE
    or AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY in your environment to configure the backend.
    c

    cool-glass-63014

    7 months ago
    I noticed that
    aws:profile
    didn't work anymore so I eventually set
    AWS_ACCESS_KEY_ID
    and
    AWS_SECRET_ACCESS_KEY
    instead. But this will make managing envs more problematic
    Is it a bug/regression or something else? I also saw in the docs somewhere that the config key was called
    aws-native:profile
    now, or something? Is this related to the problem?
    And now when I am trying to find the source of what I just claimed – like decent person – but can only find the one saying aws😛rofile: https://www.pulumi.com/registry/packages/aws/installation-configuration/
    So maybe it was an earlier version of this page
    l

    little-cartoon-10569

    7 months ago
    aws😛rofile won't ever work with backends. AWS_PROFILE will. aws😛rofile configures the default AWS provider, but backends are created before providers (before the engine gets involved at all).
    There might be another way to configure the secrets via the backend: configuration in Pulumi.yaml, but I don't know about that. I've always just used the env vars for backend configuration.
    c

    cool-glass-63014

    7 months ago
    But that doesn't make sense? Like, it worked before? 🤔 So do you have an example of a file that won't work vs one that does? Like, what does "backends" mean here?
    When deploying production I never used the env variables and the GitHub action also creates a profile in
    ~/.aws/credentials
    , so the GitHub Action also works without the env variables. So I'm confused as to what you mean with "aws😛rofile won't ever work with backends". 🤔 If I've declared something weird in my rewrite of the stack that causes this I'd like to identify it. Other than that the config should be the same regarding AWS itself.
    l

    little-cartoon-10569

    7 months ago
    Backend means the place where the state file is stored. On a local file system, in an S3 bucket, in the Pulumi service, etc.
    Configuration of the backend is completely separate from configuration of the provider that puts resources into the cloud.
    c

    cool-glass-63014

    7 months ago
    Okay, so if I'm not self-hosting I'm using pulumi.com, right?
    And just to clarify, the
    aws:ecs:Service (backend):
    refers to our service called
    backend
    in pulumi, and part of what I'm up to right now is implementing a naming convention for all Pulumi resources so as to not be able to confuse them between envs, if one were to accidentally run this with incorrect AWS credentials.
    backend
    used to be the name for our ECS Cluster, Fargate Service, Docker Image and much more. Now it's going to follow
    <service>-<env>-<aws-resource-type>
    instead.
    Anyway, being honest, the explanation that configuring the backend of Pulumi is separate from configuring the provider that runs the resource migrations is fuzzy to me, since I have not changed anything about how I connect to AWS and only actually changed names of my resources and whatnot. So if this is the case, how do I debug it? How do I fix it? I've only seen resources referring to how to run commands that locally affect my
    Pulumi-<stack>.yml
    files. Or using
    aws configure
    , which is a different CLI altogether, or the env variables as mentioned earlier.
    l

    little-cartoon-10569

    6 months ago
    Ah, that's important. Then I've lead you down the garden path there, ignore all that stuff about backends, it's irrelevant.
    I found an issue (or development decision.. not sure) a few days ago where providers were not working when
    aws:profile
    was set correctly, but they were working when
    AWS_PROFILE
    was set correctly. It turns out that
    aws:profile
    isn't used by default when you're creating your own AWS provider. Are you doing that? If you are, then can you try setting
    profile: new pulumi.Config("aws").require("profile")
    ?
    c

    cool-glass-63014

    6 months ago
    Nothing changed in terms of the profile provider so it shouldn't be that. I'll triple check but I am almost entirely sure hah
    So to me it felt like a bug, because I hadn't touched anything regarding this part of the pulumi stack file