magnificent-scientist-64889
10/31/2022, 8:25 AMPULUMI_CONFIG_PASSPHRASE=pass
PULUMI_ACCESS_TOKEN=token
PULUMI_BACKEND_URL=backend
const args: LocalProgramArgs = {
stackName: `bootstrap.${options.environment}`,
workDir: bootstrapRootPath
};
const stack = await LocalWorkspace.createOrSelectStack(args, {
secretsProvider: 'passphrase',
stackSettings: {
[args.stackName]: {
secretsProvider: 'passphrase',
config: {
['aws:profile']: {profile-name},
['aws:region']: `eu-west-1`,
},
},
}
});
const result = await stack.up();
output from the first stack is a KMS key alias, that directly after this can be accessed by
aws kms describe-key --key-id {key-id} --profile {profile-name}
On initialization of the second stack:
const newStack = await LocalWorkspace.createOrSelectStack(args,
{
secretsProvider: `awskms://${result.outputs.kmsKeyAliasName.value}?region=${options.awsRegion}`,
stackSettings: {
[options.environment]: {
['secretsProvider']: `awskms://${result.outputs.kmsKeyAliasName.value}?region=${options.awsRegion}`,
config: {
['aws:profile']: {profile-name},
['aws:region']: `eu-west-1`,
},
},
}
}
);
It fails with error: secrets (code=Unknown): NoCredentialProviders: no valid providers in chain. Deprecated.
.
My only guess so far, is that something is not cleared/properly set on the second LocalWorkspace.createOrSelectStack
, if i change the secretsProvider in the second stack to passphrase
, it runs through.
And i can then set the correct provider by using the cli pulumi stack change-secrets-provider
.
Anyone got an idea or a possible solution?aws:profile
from the StackSettings.
Adding the following to the createOrSelectStack
forces the stack to use the right profile:
stackSettings: {
...
},
envVars: {
AWS_PROFILE: '{profile-name}'
}