i'm struggling getting pulumi to leverage the iam role attached to my ec2 instance for credentials. i am getting this error:

Diagnostics:

aws:acm:Certificate (Bopmatic-wwwcert):

error: 1 error occurred:

* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

Please see <https://registry.terraform.io/providers/hashicorp/aws>

for more information about providing credentials.

Error: NoCredentialProviders: no valid providers in chain

caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.

SharedCredsLoad: failed to load profile, .

EC2RoleRequestError: no EC2 instance role found

caused by: RequestCanceled: EC2 IMDS access disabled via AWS_EC2_METADATA_DISABLED env var

I have awsskipMetadataApiCheck "false" in my Pulumi.dev.yaml and when i create a non-default provider I have:

aws.NewProvider(ctx, "us-east-1-provider", &aws.ProviderArgs{

Region: pulumi.String("us-east-1"),

SkipMetadataApiCheck:      pulumi.Bool(false),

})

any idea what else i need to do to fix this?

Two questions: 1. I assume you can access the AWS CLI normally on this machine with the machine credentials? 2. Are you sure it’s using the right provider/stack you think it’s on?

1. yes aws CLI works fine 2. can you clarify your question?

Is it possible that the resource you’re creating is either using a different provider (which doesn’t have the skip metadata flag on) or it’s ain different stack from where you set the flag? I doubt this is the issue, but just asking for good measure.

i use 2 providers in this program, the default one and the one i manually create. my understand is that the default one is supposed to pick up configuration from Pulumi.dev.yaml and in in the one i manually create i'm setting SkipMetadataApiCheck explicitly.

Yes. The resource that’s failing - is that the one that is using the default provider or your explicit one?

explicit one. i deploy everything i can in us-east-2 but cloudfront requires certs to be in us-east-1. so for that 1 cert i create a provider for us-east-1 and create the cert there explicitly using that provider i manually create

To be clear, I can’t think of a reason why it’s not working, just thinking through some simple reasons why it may be off.

certArgs := &acm.CertificateArgs{

DomainName:       pulumi.String(domainNames[0]),

ValidationMethod: pulumi.String("DNS"),

}

if len(domainNames) == 2 {

certArgs.SubjectAlternativeNames = pulumi.StringArray{pulumi.String(domainNames[1])}

}

cert, err := acm.NewCertificate(ctx, certName, certArgs, pulumi.Provider(wwwCertProvider))

if err != nil {

return nil, nil, err

}

Hmmm, I am not sure. Assuming

wwwCertProvider

is what you posted before, that should indeed work.

yes. if i use an IAM user instead of an IAM role attached the the instance everything works fine.

And the instance is running the metadata service, presumably?

$ curl <http://169.254.169.254/latest/meta-data/iam/security-credentials>

Pulumi-EC2-Role

👍

no problem; thanks for taking a look

what does

aws sts get-caller-identity

return?

@billowy-army-68599

$ aws sts get-caller-identity

{

"UserId": "AROAYMJT3EWAONHLETVZT:i-06741991e64dec4fb",

"Account": "<ACCOUNT_ID_REDACTED>",

"Arn": "arn:aws:sts::<ACCOUNT_ID_REDACTED>:assumed-role/Pulumi-EC2-Role/i-06741991e64dec4fb"

}

@billowy-army-68599 I get this too