https://pulumi.com logo
Powered by
#aws
Title
# aws
b

best-appointment-51810

07/18/2022, 5:34 PM
Hey Ive been trying to get pulumi to run in github codespaces I got the binary to work but then I always get:
Copy code
error: unable to validate AWS credentials - see <https://pulumi.io/install/aws.html> for details on configuration
I already tested that the aws cli can see the credentials
l

little-cartoon-10569

07/18/2022, 9:49 PM
What are you using AWS for? Is that where your backend is?
b

best-appointment-51810

07/19/2022, 12:15 AM
no I’m just trying to preview a stack that uses aws
l

little-cartoon-10569

07/19/2022, 12:16 AM
Hopefully you've already successfully used 
pulumi login
in the workflow (ideally via the Pulumi action)?
How are you getting your AWS creds in? OIDC, env vars, something else?
b

best-appointment-51810

07/19/2022, 1:03 AM
just as env vars for now
l

little-cartoon-10569

07/19/2022, 1:04 AM
And you're using the AWS credentials action to get them from secrets?
And (finally), you're not specifying an explicit profile in your provider that would mean the env vars aren't being used?
b

best-appointment-51810

07/19/2022, 1:10 AM
I just have them as a code spaces secret that exposes them as a env variable on the machine
and no I’m not using a profile
l

little-cartoon-10569

07/19/2022, 1:11 AM
Does 
aws sts get-caller-identity
return the expected values?
I've never used codespaces (never heard of it before), so I may ask some questions with very obvious answers. Like: can the shell access the internet? Do requests to AWS get to where they need to?
b

best-appointment-51810

07/19/2022, 1:14 AM
yeah 
aws sts get-caller-identity
works and yes I can get to the internet
l

little-cartoon-10569

07/19/2022, 1:18 AM
Hmm. Unless there's something in your stack YAML file, or in your provider constructor, that means that your env vars aren't being used, I can't think of anything else that would cause an AWS validation failure.
b

best-appointment-51810

07/19/2022, 1:20 AM
this is the stack YAML
Copy code
config:
    aws:region: us-east-1
    aws:skipCredentialsValidation: true
    cloudflare:apiToken:
      secure: redacted
    final:airflowpass:
      secure: redacted
    final:datadogApiKey:
      secure: redacted
    final:redispass:
      secure: redacted
    final:zoneId: redacted
    linode:token:
      secure: redacted
and the constructor
Copy code
const tags = {
    "File": path.join(__dirname, __filename),
    "Manged By": "pulumi",
    "Code": "London Bridge",
    "Project": "UoL final project"
}

const awsProvider = new aws.Provider("main",
    {
        defaultTags: {
            tags
        }
    }
)
l

little-cartoon-10569

07/19/2022, 1:26 AM
What does 
aws:skipCredentialsValidation: true
do? Looks like it might cause failure if validation is required....
And how come you create explicitly create a provider, then don't configure it? Does that mess up the credentials? I've never done that, no idea what it does..
Found the API docs for `skipCredentialsValidation`:
Skip the credentials validation via STS API. Used for AWS API implementations that do not have STS available/implemented.
Pretty sure you don't want that.
b

best-appointment-51810

07/19/2022, 1:34 AM
I doesn’t work with or with out it
l

little-cartoon-10569

07/19/2022, 2:03 AM
Still, if you're deploying to AWS, which does have the STS API, then you don't want to skip validation.
Can you try commenting out awsProvider?
Copy code
const awsProvider = null; /* new aws.Provider("main",
    {
        defaultTags: {
            tags
        }
    }
) */
This will force Pulumi to use the default AWS provider. If that works, then we've found the issue.
b

best-appointment-51810

07/19/2022, 3:17 AM
oh!
that was it
l

little-cartoon-10569

07/19/2022, 3:18 AM
Right. To fix this, you need to pass the credentials to the provider.
You can either use profiles (my preference), or you can grab the env vars and pass them to the provider access key and secret key params.
I do recommend sticking with the explicit provider, rather than using the default. If in the future you split your architecture across multiple accounts, having the explicit provider will make bugs harder to make and easier to find.
a

adorable-wall-67745

07/20/2022, 7:58 AM
@little-cartoon-10569 @best-appointment-51810 Hi all, I met the same issue when I try to run the quickstart demo. How can I fix it ?
l

little-cartoon-10569

07/20/2022, 7:31 PM
Can you link to the demo / code? It shouldn't happen in code provided by Pulumi.
a

adorable-wall-67745

07/20/2022, 10:56 PM
@little-cartoon-10569 Hi tenwit, thanks for your reply. In fact, I just followed the process of creating a demo on the official website :
Copy code
1. brew install pulumi/tap/pulumi
2. mkdir quickstart && cd quickstart
3. pulumi new aws-typescript
4. pulumi up
And when I run the 
pulumi up
, it always throw me this error:
Copy code
error: unable to validate AWS credentials - see <https://pulumi.io/install/aws.html> for details on configuration
The Directory Structure:
Pulumi.yaml:
Pulumi.dev.yaml:
l

little-cartoon-10569

07/20/2022, 11:05 PM
Does the quick start not tell you how to add the AWS credentials? That process doesn't set up creds.
a

adorable-wall-67745

07/20/2022, 11:06 PM
He tells me. And I had added my AWS credentials
Copy code
debug: Running program '/Users/user/Documents/workspace/quickstart1' in pwd '/Users/user/Documents/workspace/quickstart1' w/ args: 
    debug: Registering resource: t=aws:s3/bucket:Bucket, name=my-bucket, custom=true, remote=false
    debug: RegisterResource RPC prepared: t=aws:s3/bucket:Bucket, name=my-bucket
    debug: Retrieved credentials from "SharedConfigCredentials: /Users/user/.aws/credentials"
    debug: Trying to get account information via sts:GetCallerIdentity
    debug: [aws-sdk-go-v2] Request
    debug: POST / HTTP/1.1
    debug: Host: <http://sts.us-east-1.amazonaws.com|sts.us-east-1.amazonaws.com>
    debug: User-Agent: aws-sdk-go-v2/1.16.6 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/amd64 api/sts/1.16.4
    debug: Content-Length: 43
    debug: Amz-Sdk-Invocation-Id: 2fbf2624-545e-4f8a-8c85-7d9a43bcf627
    debug: Amz-Sdk-Request: attempt=1; max=3
    debug: Authorization: AWS4-HMAC-SHA256 Credential=AKIA2ZRXE6QKFQPH2J5D/20220720/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=9ca697c406025756ccb5cdadcf0623d0861c617500a3019e63665c9abee1b41a
    debug: Content-Type: application/x-www-form-urlencoded
    debug: X-Amz-Date: 20220720T231205Z
    debug: Accept-Encoding: gzip
    debug: 
    debug: Action=GetCallerIdentity&Version=2011-06-15
    debug: [aws-sdk-go-v2] retrying request STS/GetCallerIdentity, attempt 2
    debug: [aws-sdk-go-v2] Request
    debug: POST / HTTP/1.1
    debug: Host: <http://sts.us-east-1.amazonaws.com|sts.us-east-1.amazonaws.com>
    debug: User-Agent: aws-sdk-go-v2/1.16.6 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/amd64 api/sts/1.16.4
    debug: Content-Length: 43
    debug: Amz-Sdk-Invocation-Id: 2fbf2624-545e-4f8a-8c85-7d9a43bcf627
    debug: Amz-Sdk-Request: attempt=2; max=3
    debug: Authorization: AWS4-HMAC-SHA256 Credential=AKIA2ZRXE6QKFQPH2J5D/20220720/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=d331c2fc417183ff8b6dce27dfaf21e7c15ac7fd9c48feb56ce9d3c711b36782
    debug: Content-Type: application/x-www-form-urlencoded
    debug: X-Amz-Date: 20220720T231237Z
    debug: Accept-Encoding: gzip
    debug: 
    debug: Action=GetCallerIdentity&Version=2011-06-15
    debug: [aws-sdk-go-v2] retrying request STS/GetCallerIdentity, attempt 3
    debug: [aws-sdk-go-v2] Request
    debug: POST / HTTP/1.1
    debug: Host: <http://sts.us-east-1.amazonaws.com|sts.us-east-1.amazonaws.com>
    debug: User-Agent: aws-sdk-go-v2/1.16.6 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/amd64 api/sts/1.16.4
    debug: Content-Length: 43
    debug: Amz-Sdk-Invocation-Id: 2fbf2624-545e-4f8a-8c85-7d9a43bcf627
    debug: Amz-Sdk-Request: attempt=3; max=3
    debug: Authorization: AWS4-HMAC-SHA256 Credential=AKIA2ZRXE6QKFQPH2J5D/20220720/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=0424fc82b8c11249605b0594638fafc0cd41301ed7306ed3344960b3e3baf87f
    debug: Content-Type: application/x-www-form-urlencoded
    debug: X-Amz-Date: 20220720T231307Z
    debug: Accept-Encoding: gzip
    debug: 
    debug: Action=GetCallerIdentity&Version=2011-06-15
    debug: [aws-sdk-go-v2] max retry attempts exhausted, max 3
I found some errors like this
l

little-cartoon-10569

07/20/2022, 11:23 PM
I don't see any errors there?
Looks like your credentials are validly wrong.
On the machine this is running on, is the default profile valid? Or better, is there no default profile?
a

adorable-wall-67745

07/20/2022, 11:32 PM
Aha, I solved my problem, it was my DNS configuration that played a role, causing pulumi to not be able to get my configuration.
Thanks tenwit 🙂
👍 1
3 Views
Powered by