https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# aws
s
This message was deleted.
l
What are you using AWS for? Is that where your backend is?
b
no I’m just trying to preview a stack that uses aws
l
Hopefully you've already successfully used 
pulumi login
in the workflow (ideally via the Pulumi action)?
How are you getting your AWS creds in? OIDC, env vars, something else?
b
just as env vars for now
l
And you're using the AWS credentials action to get them from secrets?
And (finally), you're not specifying an explicit profile in your provider that would mean the env vars aren't being used?
b
I just have them as a code spaces secret that exposes them as a env variable on the machine
and no I’m not using a profile
l
Does 
aws sts get-caller-identity
return the expected values?
I've never used codespaces (never heard of it before), so I may ask some questions with very obvious answers. Like: can the shell access the internet? Do requests to AWS get to where they need to?
b
yeah 
aws sts get-caller-identity
works and yes I can get to the internet
l
Hmm. Unless there's something in your stack YAML file, or in your provider constructor, that means that your env vars aren't being used, I can't think of anything else that would cause an AWS validation failure.
b
this is the stack YAML
Copy code
config:
    aws:region: us-east-1
    aws:skipCredentialsValidation: true
    cloudflare:apiToken:
      secure: redacted
    final:airflowpass:
      secure: redacted
    final:datadogApiKey:
      secure: redacted
    final:redispass:
      secure: redacted
    final:zoneId: redacted
    linode:token:
      secure: redacted
and the constructor
Copy code
const tags = {
    "File": path.join(__dirname, __filename),
    "Manged By": "pulumi",
    "Code": "London Bridge",
    "Project": "UoL final project"
}

const awsProvider = new aws.Provider("main",
    {
        defaultTags: {
            tags
        }
    }
)
l
What does 
aws:skipCredentialsValidation: true
do? Looks like it might cause failure if validation is required....
And how come you create explicitly create a provider, then don't configure it? Does that mess up the credentials? I've never done that, no idea what it does..
Found the API docs for `skipCredentialsValidation`:
Skip the credentials validation via STS API. Used for AWS API implementations that do not have STS available/implemented.
Pretty sure you don't want that.
b
I doesn’t work with or with out it
l
Still, if you're deploying to AWS, which does have the STS API, then you don't want to skip validation.
Can you try commenting out awsProvider?
Copy code
const awsProvider = null; /* new aws.Provider("main",
    {
        defaultTags: {
            tags
        }
    }
) */
This will force Pulumi to use the default AWS provider. If that works, then we've found the issue.
b
oh!
that was it
l
Right. To fix this, you need to pass the credentials to the provider.
You can either use profiles (my preference), or you can grab the env vars and pass them to the provider access key and secret key params.
I do recommend sticking with the explicit provider, rather than using the default. If in the future you split your architecture across multiple accounts, having the explicit provider will make bugs harder to make and easier to find.
a
@little-cartoon-10569 @best-appointment-51810 Hi all, I met the same issue when I try to run the quickstart demo. How can I fix it ?
l
Can you link to the demo / code? It shouldn't happen in code provided by Pulumi.
a
@little-cartoon-10569 Hi tenwit, thanks for your reply. In fact, I just followed the process of creating a demo on the official website :
Copy code
1. brew install pulumi/tap/pulumi
2. mkdir quickstart && cd quickstart
3. pulumi new aws-typescript
4. pulumi up
And when I run the 
pulumi up
, it always throw me this error:
Copy code
error: unable to validate AWS credentials - see <https://pulumi.io/install/aws.html> for details on configuration
The Directory Structure:
Pulumi.yaml:
Pulumi.dev.yaml:
l
Does the quick start not tell you how to add the AWS credentials? That process doesn't set up creds.
a
He tells me. And I had added my AWS credentials
Copy code
debug: Running program '/Users/user/Documents/workspace/quickstart1' in pwd '/Users/user/Documents/workspace/quickstart1' w/ args: 
    debug: Registering resource: t=aws:s3/bucket:Bucket, name=my-bucket, custom=true, remote=false
    debug: RegisterResource RPC prepared: t=aws:s3/bucket:Bucket, name=my-bucket
    debug: Retrieved credentials from "SharedConfigCredentials: /Users/user/.aws/credentials"
    debug: Trying to get account information via sts:GetCallerIdentity
    debug: [aws-sdk-go-v2] Request
    debug: POST / HTTP/1.1
    debug: Host: <http://sts.us-east-1.amazonaws.com|sts.us-east-1.amazonaws.com>
    debug: User-Agent: aws-sdk-go-v2/1.16.6 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/amd64 api/sts/1.16.4
    debug: Content-Length: 43
    debug: Amz-Sdk-Invocation-Id: 2fbf2624-545e-4f8a-8c85-7d9a43bcf627
    debug: Amz-Sdk-Request: attempt=1; max=3
    debug: Authorization: AWS4-HMAC-SHA256 Credential=AKIA2ZRXE6QKFQPH2J5D/20220720/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=9ca697c406025756ccb5cdadcf0623d0861c617500a3019e63665c9abee1b41a
    debug: Content-Type: application/x-www-form-urlencoded
    debug: X-Amz-Date: 20220720T231205Z
    debug: Accept-Encoding: gzip
    debug: 
    debug: Action=GetCallerIdentity&Version=2011-06-15
    debug: [aws-sdk-go-v2] retrying request STS/GetCallerIdentity, attempt 2
    debug: [aws-sdk-go-v2] Request
    debug: POST / HTTP/1.1
    debug: Host: <http://sts.us-east-1.amazonaws.com|sts.us-east-1.amazonaws.com>
    debug: User-Agent: aws-sdk-go-v2/1.16.6 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/amd64 api/sts/1.16.4
    debug: Content-Length: 43
    debug: Amz-Sdk-Invocation-Id: 2fbf2624-545e-4f8a-8c85-7d9a43bcf627
    debug: Amz-Sdk-Request: attempt=2; max=3
    debug: Authorization: AWS4-HMAC-SHA256 Credential=AKIA2ZRXE6QKFQPH2J5D/20220720/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=d331c2fc417183ff8b6dce27dfaf21e7c15ac7fd9c48feb56ce9d3c711b36782
    debug: Content-Type: application/x-www-form-urlencoded
    debug: X-Amz-Date: 20220720T231237Z
    debug: Accept-Encoding: gzip
    debug: 
    debug: Action=GetCallerIdentity&Version=2011-06-15
    debug: [aws-sdk-go-v2] retrying request STS/GetCallerIdentity, attempt 3
    debug: [aws-sdk-go-v2] Request
    debug: POST / HTTP/1.1
    debug: Host: <http://sts.us-east-1.amazonaws.com|sts.us-east-1.amazonaws.com>
    debug: User-Agent: aws-sdk-go-v2/1.16.6 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/amd64 api/sts/1.16.4
    debug: Content-Length: 43
    debug: Amz-Sdk-Invocation-Id: 2fbf2624-545e-4f8a-8c85-7d9a43bcf627
    debug: Amz-Sdk-Request: attempt=3; max=3
    debug: Authorization: AWS4-HMAC-SHA256 Credential=AKIA2ZRXE6QKFQPH2J5D/20220720/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=0424fc82b8c11249605b0594638fafc0cd41301ed7306ed3344960b3e3baf87f
    debug: Content-Type: application/x-www-form-urlencoded
    debug: X-Amz-Date: 20220720T231307Z
    debug: Accept-Encoding: gzip
    debug: 
    debug: Action=GetCallerIdentity&Version=2011-06-15
    debug: [aws-sdk-go-v2] max retry attempts exhausted, max 3
I found some errors like this
l
I don't see any errors there?
Looks like your credentials are validly wrong.
On the machine this is running on, is the default profile valid? Or better, is there no default profile?
a
Aha, I solved my problem, it was my DNS configuration that played a role, causing pulumi to not be able to get my configuration.
Thanks tenwit 🙂
👍 1
3 Views
Open in Slack
PreviousNext
Powered by