i'm struggling getting pulumi to leverage the iam ...
# aws
i'm struggling getting pulumi to leverage the iam role attached to my ec2 instance for credentials. i am getting this error:
aws:acm:Certificate (Bopmatic-wwwcert):
error: 1 error occurred:
* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
Please see <https://registry.terraform.io/providers/hashicorp/aws>
for more information about providing credentials.
Error: NoCredentialProviders: no valid providers in chain
caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
SharedCredsLoad: failed to load profile, .
EC2RoleRequestError: no EC2 instance role found
caused by: RequestCanceled: EC2 IMDS access disabled via AWS_EC2_METADATA_DISABLED env var
I have awsskipMetadataApiCheck "false" in my Pulumi.dev.yaml and when i create a non-default provider I have:
aws.NewProvider(ctx, "us-east-1-provider", &aws.ProviderArgs{
Region: pulumi.String("us-east-1"),
SkipMetadataApiCheck:      pulumi.Bool(false),
any idea what else i need to do to fix this?
Two questions: 1. I assume you can access the AWS CLI normally on this machine with the machine credentials? 2. Are you sure it’s using the right provider/stack you think it’s on?
1. yes aws CLI works fine 2. can you clarify your question?
Is it possible that the resource you’re creating is either using a different provider (which doesn’t have the skip metadata flag on) or it’s ain different stack from where you set the flag? I doubt this is the issue, but just asking for good measure.
i use 2 providers in this program, the default one and the one i manually create. my understand is that the default one is supposed to pick up configuration from Pulumi.dev.yaml and in in the one i manually create i'm setting SkipMetadataApiCheck explicitly.
Yes. The resource that’s failing - is that the one that is using the default provider or your explicit one?
explicit one. i deploy everything i can in us-east-2 but cloudfront requires certs to be in us-east-1. so for that 1 cert i create a provider for us-east-1 and create the cert there explicitly using that provider i manually create
To be clear, I can’t think of a reason why it’s not working, just thinking through some simple reasons why it may be off.
What does the code for that resource look like?
certArgs := &acm.CertificateArgs{
DomainName:       pulumi.String(domainNames[0]),
ValidationMethod: pulumi.String("DNS"),
if len(domainNames) == 2 {
certArgs.SubjectAlternativeNames = pulumi.StringArray{pulumi.String(domainNames[1])}
cert, err := acm.NewCertificate(ctx, certName, certArgs, pulumi.Provider(wwwCertProvider))
if err != nil {
return nil, nil, err
Hmmm, I am not sure. Assuming
is what you posted before, that should indeed work.
yes. if i use an IAM user instead of an IAM role attached the the instance everything works fine.
And the instance is running the metadata service, presumably?
$ curl <>
Sorry I could not be more help.
no problem; thanks for taking a look
what does
aws sts get-caller-identity
$ aws sts get-caller-identity
"UserId": "AROAYMJT3EWAONHLETVZT:i-06741991e64dec4fb",
"Arn": "arn:aws:sts::<ACCOUNT_ID_REDACTED>:assumed-role/Pulumi-EC2-Role/i-06741991e64dec4fb"
@billowy-army-68599 I get this too
but not with terraform
which doesn’t seem logical