https://pulumi.com logo
Join Slack
Powered by
For some reason I can't update my AWS stack at the...
# aws
c
For some reason I can't update my AWS stack at the moment as I just keep getting:
Copy code
aws:ecs:Service (backend):
  error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration
even though I have several profiles, and for the stack I have the proper AWS profile configured in the yaml file. And it seems like it can build and push the docker image but it cannot edit the Fargate task definition or something? I am not savvy with either AWS or Pulumi and this is something I've inherited, but I can't wrap my head around this. I also followed the linked and repeated the setup and yet nothing. EDIT: I can't seem to restore the state of whatever it is I've managed to bork up at all? I haven't changed any credentials or keys to begin with so this feels like such a weird curve ball? 🤔 Any ideas?
l
Since this is a backend issue, it won't be using profiles passed to your Pulumi command, it will be using the default profile only. You need to set 
AWS_PROFILE
or `AWS_ACCESS_KEY_ID`/`AWS_SECRET_ACCESS_KEY` in your environment to configure the backend.
c
I noticed that 
aws:profile
didn't work anymore so I eventually set 
AWS_ACCESS_KEY_ID
and 
AWS_SECRET_ACCESS_KEY
instead. But this will make managing envs more problematic
Is it a bug/regression or something else? I also saw in the docs somewhere that the config key was called 
aws-native:profile
now, or something? Is this related to the problem?
And now when I am trying to find the source of what I just claimed – like decent person – but can only find the one saying `aws:profile`: https://www.pulumi.com/registry/packages/aws/installation-configuration/
So maybe it was an earlier version of this page
l
aws:profile won't ever work with backends. AWS_PROFILE will. aws:profile configures the default AWS provider, but backends are created before providers (before the engine gets involved at all).
There might be another way to configure the secrets via the backend: configuration in Pulumi.yaml, but I don't know about that. I've always just used the env vars for backend configuration.
c
But that doesn't make sense? Like, it worked before? 🤔 So do you have an example of a file that won't work vs one that does? Like, what does "backends" mean here?
When deploying production I never used the env variables and the GitHub action also creates a profile in 
~/.aws/credentials
, so the GitHub Action also works without the env variables. So I'm confused as to what you mean with "aws:profile won't ever work with backends". 🤔 If I've declared something weird in my rewrite of the stack that causes this I'd like to identify it. Other than that the config should be the same regarding AWS itself.
l
Backend means the place where the state file is stored. On a local file system, in an S3 bucket, in the Pulumi service, etc.
Configuration of the backend is completely separate from configuration of the provider that puts resources into the cloud.
c
Okay, so if I'm not self-hosting I'm using pulumi.com, right?
And just to clarify, the 
aws:ecs:Service (backend):
refers to our service called 
backend
in pulumi, and part of what I'm up to right now is implementing a naming convention for all Pulumi resources so as to not be able to confuse them between envs, if one were to accidentally run this with incorrect AWS credentials. 
backend
used to be the name for our ECS Cluster, Fargate Service, Docker Image and much more. Now it's going to follow 
<service>-<env>-<aws-resource-type>
instead.
Anyway, being honest, the explanation that configuring the backend of Pulumi is separate from configuring the provider that runs the resource migrations is fuzzy to me, since I have not changed anything about how I connect to AWS and only actually changed names of my resources and whatnot. So if this is the case, how do I debug it? How do I fix it? I've only seen resources referring to how to run commands that locally affect my 
Pulumi-<stack>.yml
files. Or using 
aws configure
, which is a different CLI altogether, or the env variables as mentioned earlier.
l
Ah, that's important. Then I've lead you down the garden path there, ignore all that stuff about backends, it's irrelevant.
I found an issue (or development decision.. not sure) a few days ago where providers were not working when 
aws:profile
was set correctly, but they were working when 
AWS_PROFILE
was set correctly. It turns out that 
aws:profile
isn't used by default when you're creating your own AWS provider. Are you doing that? If you are, then can you try setting 
profile: new pulumi.Config("aws").require("profile")
?
c
Nothing changed in terms of the profile provider so it shouldn't be that. I'll triple check but I am almost entirely sure hah
So to me it felt like a bug, because I hadn't touched anything regarding this part of the pulumi stack file
114 Views
Open in Slack
PreviousNext
Powered by