```export const createPulumiProgram = args CreatePulumiProgr Pulumi Community #automation-api

```export const createPulumiProgram = (args: Creat...

most-lighter-95902

03/16/2022, 6:01 PM

Copy code

export const createPulumiProgram = (args: CreatePulumiProgramArgs) => async () => {
  const { stack, inputs } = args
  
  // Should return client's account id since aws credentials in config 
  // is set to client's aws credentials, but returns my own account id
  const { accountId: awsAccountId } = await aws.getCallerIdentity({})
}

little-cartoon-10569

03/16/2022, 8:09 PM

Which config? Env vars? ~/.aws/credentials? To make this work predictably, you should be passing the correct provider to

getCallerIdentity()

. If you're allowing credentials to "just work", it's not going to. In particular, env var credentials need to be handled very careful in AutomationAPI, since the child Pulumi process doesn't automatically inherit the parent's environment.

little-cartoon-10569

03/16/2022, 8:10 PM

I recommend always passing the

provider

(or

providers

) opt to all Pulumi calls. There's no other way to guarantee that your code will work the same way when being called in different ways (e.g. directly and via AutomationAPI).

most-lighter-95902

03/16/2022, 10:41 PM

Ah I see - so is that

getCallerIdentity({ provider: awsProvider })

? The docs for this says

function getCallerIdentity(opts?: InvokeOptions)

but when I click on

InvokeOptions

it goes nowhere

little-cartoon-10569

03/16/2022, 10:44 PM

Yes. I'll see if I can find the docs for InvokeOptions

most-lighter-95902

03/16/2022, 10:46 PM

Awesome - thank you for the prompt response. Much appreciated!

little-cartoon-10569

03/16/2022, 10:49 PM

The source is here, with annotated docs.. can't find a page with this info though. https://github.com/pulumi/pulumi/blob/master/sdk/nodejs/invoke.ts

little-cartoon-10569

03/16/2022, 10:50 PM

It should be linked from this page but it's not: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/pulumi/

most-lighter-95902

03/16/2022, 10:52 PM

OK thank you - since I got you here one more quick question regarding this. For Pulumi Automation, I was told to use Pulumi stack config to store the aws credentials, but reading the docs, it seems like

~/.aws/credentials

would allow me to use different profiles. How do you securely create this plain text file inside docker using Dockerfile? Do you have any examples of how you do that?

most-lighter-95902

03/16/2022, 10:53 PM

Right now I’m using Kubernetes Secrets to store and reference aws credentials inside my Docker containers, but I don’t think this method is possible for plain text files

little-cartoon-10569

03/16/2022, 10:58 PM

I wouldn't create

~/.aws/credentials

inside a container. You might want to bind mount it, but I wouldn't recommend it. You could create

~/.aws/config

for your profiles and reference the default profile from one of them. However, you'd be better off going with explicit access key and secret access key, and providers. You can use role chaining instead of profiles.

little-cartoon-10569

03/16/2022, 10:59 PM

Profile are intended for machines with real users on them. If you're working from a transient container built on demand, you can take advantage of environments and other non-persistent ways of accessing secrets.

little-cartoon-10569

03/16/2022, 11:01 PM

To answer the question though: you can create files in your dockerfile via COPY, RUN (to run a script that creates the file), or similar.

most-lighter-95902

03/16/2022, 11:29 PM

Oh I see - this is awesome. Thank you so much for detailed answers!

most-lighter-95902

03/16/2022, 11:48 PM

Hi @little-cartoon-10569 I’m just testing out the provider method, but a little confused about

aws.getRegion()

usage - I have

aws:region

Pulumi config set, so does

aws.getRegion()

return that value?

config.require('aws:region')

doesn’t seem to work

little-cartoon-10569

03/16/2022, 11:56 PM

There's a few things to answer there 🙂

little-cartoon-10569

03/16/2022, 11:57 PM

To get to region from the config file, you need

new pulumi.Config("aws").require("region")

little-cartoon-10569

03/16/2022, 11:58 PM

aws.getRegion()

will get the region of the "default" connection to AWS, but exactly what that is depends on env vars, profiles, credentials files, config files, and probably the phase of the moon and how recently your cat last ate.

little-cartoon-10569

03/16/2022, 11:59 PM

(And if you have no cat, then I don't know how it figures it out.)

little-cartoon-10569

03/17/2022, 12:00 AM

getRegion()

also takes an InvokeOptions, so to be certain of getting

us-east-1

, you really need to be calling

getRegion({ provider: new Provider("foo", { region: "us-east-1" }))

little-cartoon-10569

03/17/2022, 12:01 AM

I've long ago given up trying to figure out how AWS+Pulumi+automation-api all combine to influence which credentials are used. I nearly always explicitly load the AWS config from the stack file, create an explicit provider, and use it. It never fails.

most-lighter-95902

03/17/2022, 12:36 AM

This is so great - it was confusing me to no end! I ran into so many issues. I’m just going to do what you suggested.

most-lighter-95902

03/17/2022, 12:36 AM

Thanks again - this was VERY helpful!

👍 1

most-lighter-95902

03/18/2022, 1:23 AM

@little-cartoon-10569 If you don’t mind, can I ask you about Pulumi plugin versions in Automation API? I’m really confused as to how it picks the version it requires. Locally I’m using the latest version, but automation API frequently errors out citing another older version?

little-cartoon-10569

03/18/2022, 1:25 AM

Sorry, not my area of specialty 😞 I'd check the package.json and lock file...

little-cartoon-10569

03/18/2022, 1:26 AM

Or maybe Lee or Evan might know.. try posting a new thread and see if you get any bites.

most-lighter-95902

03/18/2022, 2:03 AM

OK got it - thank you!!

2 Views

Open in Slack

Previous Next