Thread
#automation-api
    m

    most-lighter-95902

    6 months ago
    export const createPulumiProgram = (args: CreatePulumiProgramArgs) => async () => {
      const { stack, inputs } = args
      
      // Should return client's account id since aws credentials in config 
      // is set to client's aws credentials, but returns my own account id
      const { accountId: awsAccountId } = await aws.getCallerIdentity({})
    }
    l

    little-cartoon-10569

    6 months ago
    Which config? Env vars? ~/.aws/credentials? To make this work predictably, you should be passing the correct provider to
    getCallerIdentity()
    . If you're allowing credentials to "just work", it's not going to. In particular, env var credentials need to be handled very careful in AutomationAPI, since the child Pulumi process doesn't automatically inherit the parent's environment.
    I recommend always passing the
    provider
    (or
    providers
    ) opt to all Pulumi calls. There's no other way to guarantee that your code will work the same way when being called in different ways (e.g. directly and via AutomationAPI).
    m

    most-lighter-95902

    6 months ago
    Ah I see - so is that
    getCallerIdentity({ provider: awsProvider })
    ? The docs for this says
    function getCallerIdentity(opts?: InvokeOptions)
    but when I click on
    InvokeOptions
    it goes nowhere
    l

    little-cartoon-10569

    6 months ago
    Yes. I'll see if I can find the docs for InvokeOptions
    m

    most-lighter-95902

    6 months ago
    Awesome - thank you for the prompt response. Much appreciated!
    l

    little-cartoon-10569

    6 months ago
    The source is here, with annotated docs.. can't find a page with this info though.https://github.com/pulumi/pulumi/blob/master/sdk/nodejs/invoke.ts
    It should be linked from this page but it's not: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/pulumi/
    m

    most-lighter-95902

    6 months ago
    OK thank you - since I got you here one more quick question regarding this. For Pulumi Automation, I was told to use Pulumi stack config to store the aws credentials, but reading the docs, it seems like
    ~/.aws/credentials
    would allow me to use different profiles. How do you securely create this plain text file inside docker using Dockerfile? Do you have any examples of how you do that?
    Right now I’m using Kubernetes Secrets to store and reference aws credentials inside my Docker containers, but I don’t think this method is possible for plain text files
    l

    little-cartoon-10569

    6 months ago
    I wouldn't create
    ~/.aws/credentials
    inside a container. You might want to bind mount it, but I wouldn't recommend it. You could create
    ~/.aws/config
    for your profiles and reference the default profile from one of them. However, you'd be better off going with explicit access key and secret access key, and providers. You can use role chaining instead of profiles.
    Profile are intended for machines with real users on them. If you're working from a transient container built on demand, you can take advantage of environments and other non-persistent ways of accessing secrets.
    To answer the question though: you can create files in your dockerfile via COPY, RUN (to run a script that creates the file), or similar.
    m

    most-lighter-95902

    6 months ago
    Oh I see - this is awesome. Thank you so much for detailed answers!
    Hi @little-cartoon-10569 I’m just testing out the provider method, but a little confused about
    aws.getRegion()
    usage - I have
    aws:region
    Pulumi config set, so does
    aws.getRegion()
    return that value?
    config.require('aws:region')
    doesn’t seem to work
    l

    little-cartoon-10569

    6 months ago
    There's a few things to answer there 🙂
    To get to region from the config file, you need
    new pulumi.Config("aws").require("region")
    .
    aws.getRegion()
    will get the region of the "default" connection to AWS, but exactly what that is depends on env vars, profiles, credentials files, config files, and probably the phase of the moon and how recently your cat last ate.
    (And if you have no cat, then I don't know how it figures it out.)
    getRegion()
    also takes an InvokeOptions, so to be certain of getting
    us-east-1
    , you really need to be calling
    getRegion({ provider: new Provider("foo", { region: "us-east-1" }))
    .
    I've long ago given up trying to figure out how AWS+Pulumi+automation-api all combine to influence which credentials are used. I nearly always explicitly load the AWS config from the stack file, create an explicit provider, and use it. It never fails.
    m

    most-lighter-95902

    6 months ago
    This is so great - it was confusing me to no end! I ran into so many issues. I’m just going to do what you suggested.
    Thanks again - this was VERY helpful!
    @little-cartoon-10569 If you don’t mind, can I ask you about Pulumi plugin versions in Automation API? I’m really confused as to how it picks the version it requires. Locally I’m using the latest version, but automation API frequently errors out citing another older version?
    l

    little-cartoon-10569

    6 months ago
    Sorry, not my area of specialty 😞 I'd check the package.json and lock file...
    Or maybe Lee or Evan might know.. try posting a new thread and see if you get any bites.
    m

    most-lighter-95902

    6 months ago
    OK got it - thank you!!