https://pulumi.com logo
Title
m

magnificent-scientist-64889

10/31/2022, 8:25 AM
I could use some help on a problem I'm encountering. It might be that what I'm trying to do is not possible, but here goes. I have an automation program running in TypeScript that deploys a stack, and then uses the stacks output to initialize a new stack. The following env variables are set:
PULUMI_CONFIG_PASSPHRASE=pass
PULUMI_ACCESS_TOKEN=token
PULUMI_BACKEND_URL=backend
const args: LocalProgramArgs = {
    stackName: `bootstrap.${options.environment}`,
    workDir: bootstrapRootPath
};

const stack = await LocalWorkspace.createOrSelectStack(args, {
    secretsProvider: 'passphrase',
    stackSettings: {
        [args.stackName]: {
            secretsProvider: 'passphrase',
            config: {
                ['aws:profile']: {profile-name},
                ['aws:region']: `eu-west-1`,
            },
        },
    }
});

const result = await stack.up();
output from the first stack is a KMS key alias, that directly after this can be accessed by
aws kms describe-key --key-id {key-id} --profile {profile-name}
On initialization of the second stack:
const newStack = await LocalWorkspace.createOrSelectStack(args,
    {
        secretsProvider: `awskms://${result.outputs.kmsKeyAliasName.value}?region=${options.awsRegion}`,
        stackSettings: {
            [options.environment]: {
                ['secretsProvider']: `awskms://${result.outputs.kmsKeyAliasName.value}?region=${options.awsRegion}`,
                config: {
                    ['aws:profile']: {profile-name},
                    ['aws:region']: `eu-west-1`,
                },
            },
        }
    }
);
It fails with
error: secrets (code=Unknown): NoCredentialProviders: no valid providers in chain. Deprecated.
. My only guess so far, is that something is not cleared/properly set on the second
LocalWorkspace.createOrSelectStack
, if i change the secretsProvider in the second stack to
passphrase
, it runs through. And i can then set the correct provider by using the cli
pulumi stack change-secrets-provider
. Anyone got an idea or a possible solution?
I found the solution. It seems it's a race condition in some way, where the secretsProvider tries to resolve before the config is set, meaning it doesn't grab the
aws:profile
from the StackSettings. Adding the following to the
createOrSelectStack
forces the stack to use the right profile:
stackSettings: {
   ...
},
envVars: {
    AWS_PROFILE: '{profile-name}'
}