https://pulumi.com logo
Title
l

little-soccer-5693

02/11/2022, 7:29 PM
i'm struggling getting pulumi to leverage the iam role attached to my ec2 instance for credentials. i am getting this error:
Diagnostics:
aws:acm:Certificate (Bopmatic-wwwcert):
error: 1 error occurred:
* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
Please see <https://registry.terraform.io/providers/hashicorp/aws>
for more information about providing credentials.
Error: NoCredentialProviders: no valid providers in chain
caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
SharedCredsLoad: failed to load profile, .
EC2RoleRequestError: no EC2 instance role found
caused by: RequestCanceled: EC2 IMDS access disabled via AWS_EC2_METADATA_DISABLED env var
I have aws😒kipMetadataApiCheck: "false" in my Pulumi.dev.yaml and when i create a non-default provider I have:
aws.NewProvider(ctx, "us-east-1-provider", &aws.ProviderArgs{
Region: pulumi.String("us-east-1"),
SkipMetadataApiCheck:      pulumi.Bool(false),
})
any idea what else i need to do to fix this?
b

bored-table-20691

02/11/2022, 8:41 PM
Two questions: 1. I assume you can access the AWS CLI normally on this machine with the machine credentials? 2. Are you sure it’s using the right provider/stack you think it’s on?
l

little-soccer-5693

02/11/2022, 9:01 PM
1. yes aws CLI works fine 2. can you clarify your question?
b

bored-table-20691

02/11/2022, 9:03 PM
Is it possible that the resource you’re creating is either using a different provider (which doesn’t have the skip metadata flag on) or it’s ain different stack from where you set the flag? I doubt this is the issue, but just asking for good measure.
l

little-soccer-5693

02/11/2022, 9:04 PM
i use 2 providers in this program, the default one and the one i manually create. my understand is that the default one is supposed to pick up configuration from Pulumi.dev.yaml and in in the one i manually create i'm setting SkipMetadataApiCheck explicitly.
b

bored-table-20691

02/11/2022, 9:07 PM
Yes. The resource that’s failing - is that the one that is using the default provider or your explicit one?
Bopmatic-wwwcert
l

little-soccer-5693

02/11/2022, 9:08 PM
explicit one. i deploy everything i can in us-east-2 but cloudfront requires certs to be in us-east-1. so for that 1 cert i create a provider for us-east-1 and create the cert there explicitly using that provider i manually create
b

bored-table-20691

02/11/2022, 9:11 PM
To be clear, I can’t think of a reason why it’s not working, just thinking through some simple reasons why it may be off.
What does the code for that resource look like?
l

little-soccer-5693

02/11/2022, 9:15 PM
certArgs := &acm.CertificateArgs{
DomainName:       pulumi.String(domainNames[0]),
ValidationMethod: pulumi.String("DNS"),
}
if len(domainNames) == 2 {
certArgs.SubjectAlternativeNames = pulumi.StringArray{pulumi.String(domainNames[1])}
}
cert, err := acm.NewCertificate(ctx, certName, certArgs, pulumi.Provider(wwwCertProvider))
if err != nil {
return nil, nil, err
}
b

bored-table-20691

02/11/2022, 9:17 PM
Hmmm, I am not sure. Assuming
wwwCertProvider
is what you posted before, that should indeed work.
l

little-soccer-5693

02/11/2022, 9:17 PM
yes. if i use an IAM user instead of an IAM role attached the the instance everything works fine.
b

bored-table-20691

02/11/2022, 9:18 PM
And the instance is running the metadata service, presumably?
l

little-soccer-5693

02/11/2022, 9:19 PM
$ curl <http://169.254.169.254/latest/meta-data/iam/security-credentials>
Pulumi-EC2-Role
b

bored-table-20691

02/11/2022, 9:22 PM
👍
Sorry I could not be more help.
l

little-soccer-5693

02/11/2022, 9:22 PM
no problem; thanks for taking a look
b

billowy-army-68599

02/11/2022, 9:59 PM
what does
aws sts get-caller-identity
return?
l

little-soccer-5693

02/11/2022, 11:39 PM
@billowy-army-68599
$ aws sts get-caller-identity
{
"UserId": "AROAYMJT3EWAONHLETVZT:i-06741991e64dec4fb",
"Account": "<ACCOUNT_ID_REDACTED>",
"Arn": "arn:aws:sts::<ACCOUNT_ID_REDACTED>:assumed-role/Pulumi-EC2-Role/i-06741991e64dec4fb"
}
s

sparse-state-34229

03/29/2022, 4:25 PM
@billowy-army-68599 I get this too
but not with terraform
which doesn’t seem logical