```export const createPulumiProgram = (args: Creat...
# automation-api
Copy code
export const createPulumiProgram = (args: CreatePulumiProgramArgs) => async () => {
  const { stack, inputs } = args
  // Should return client's account id since aws credentials in config 
  // is set to client's aws credentials, but returns my own account id
  const { accountId: awsAccountId } = await aws.getCallerIdentity({})
Which config? Env vars? ~/.aws/credentials? To make this work predictably, you should be passing the correct provider to
. If you're allowing credentials to "just work", it's not going to. In particular, env var credentials need to be handled very careful in AutomationAPI, since the child Pulumi process doesn't automatically inherit the parent's environment.
I recommend always passing the
) opt to all Pulumi calls. There's no other way to guarantee that your code will work the same way when being called in different ways (e.g. directly and via AutomationAPI).
Ah I see - so is that
getCallerIdentity({ provider: awsProvider })
? The docs for this says
function getCallerIdentity(opts?: InvokeOptions)
but when I click on
it goes nowhere
Yes. I'll see if I can find the docs for InvokeOptions
Awesome - thank you for the prompt response. Much appreciated!
The source is here, with annotated docs.. can't find a page with this info though. https://github.com/pulumi/pulumi/blob/master/sdk/nodejs/invoke.ts
It should be linked from this page but it's not: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/pulumi/
OK thank you - since I got you here one more quick question regarding this. For Pulumi Automation, I was told to use Pulumi stack config to store the aws credentials, but reading the docs, it seems like
would allow me to use different profiles. How do you securely create this plain text file inside docker using Dockerfile? Do you have any examples of how you do that?
Right now I’m using Kubernetes Secrets to store and reference aws credentials inside my Docker containers, but I don’t think this method is possible for plain text files
I wouldn't create
inside a container. You might want to bind mount it, but I wouldn't recommend it. You could create
for your profiles and reference the default profile from one of them. However, you'd be better off going with explicit access key and secret access key, and providers. You can use role chaining instead of profiles.
Profile are intended for machines with real users on them. If you're working from a transient container built on demand, you can take advantage of environments and other non-persistent ways of accessing secrets.
To answer the question though: you can create files in your dockerfile via COPY, RUN (to run a script that creates the file), or similar.
Oh I see - this is awesome. Thank you so much for detailed answers!
Hi @little-cartoon-10569 I’m just testing out the provider method, but a little confused about
usage - I have
Pulumi config set, so does
return that value?
doesn’t seem to work
There's a few things to answer there 🙂
To get to region from the config file, you need
new pulumi.Config("aws").require("region")
will get the region of the "default" connection to AWS, but exactly what that is depends on env vars, profiles, credentials files, config files, and probably the phase of the moon and how recently your cat last ate.
(And if you have no cat, then I don't know how it figures it out.)
also takes an InvokeOptions, so to be certain of getting
, you really need to be calling
getRegion({ provider: new Provider("foo", { region: "us-east-1" }))
I've long ago given up trying to figure out how AWS+Pulumi+automation-api all combine to influence which credentials are used. I nearly always explicitly load the AWS config from the stack file, create an explicit provider, and use it. It never fails.
This is so great - it was confusing me to no end! I ran into so many issues. I’m just going to do what you suggested.
Thanks again - this was VERY helpful!
👍 1
@little-cartoon-10569 If you don’t mind, can I ask you about Pulumi plugin versions in Automation API? I’m really confused as to how it picks the version it requires. Locally I’m using the latest version, but automation API frequently errors out citing another older version?
Sorry, not my area of specialty 😞 I'd check the package.json and lock file...
Or maybe Lee or Evan might know.. try posting a new thread and see if you get any bites.
OK got it - thank you!!