https://pulumi.com
Join Slack
This message was deleted.
# aws
s
This message was deleted.
f
Not sure why you need 2 sections in the config, but I just have one:
Copy code
[profile xxx]   
sso_start_url = <https://xxx.awsapps.com/start#/>
sso_region = ap-southeast-2
sso_account_id = 123456789
sso_role_name = AdministratorAccess
region = ap-southeast-2    
aws_account_id = xxx-sso
Works with any tool (awscli, pulumi, terraform)
f
Okay need to try it out. This is what aws sso configure command gives you.
Unfortunately this did not work for me either, still getting error:
Copy code
error: unable to validate AWS credentials.
    Details: no valid credential sources for  found.
    
    Please see
    for more information about providing credentials.
    
    Error: failed to refresh cached credentials, the SSO session has expired or is invalid: open /Users/my_user/.aws/sso/cache/5b4332413256eb7492af48c99f1ed4408c4ad28e.json: no such file or directory
This is my profile in 
~/.aws/config
Copy code
[profile my-profile]
sso_start_url = <https://xxx.awsapps.com/start>
sso_region = eu-west-1
sso_account_id = 123415123123
sso_role_name = PowerUserAccess
region = eu-north-1
output = json
s
im assuming youre setting the AWS_PROFILE="my-profile" environment variable, doing an aws sso login and then running pulumi ?
f
SSO creds are short-lived (I think 6 hours by default?) so you need to do
Copy code
aws sso login --profile xxx
pretty often. Not sure about the complaints about the cache, though, I'd try to remove it if it still doesn't work. Maybe check if the directory /Users/my_user/.aws/sso/cache/ exists firstt
f
I have not actually set AWS_PROFILE explicitly, but it is configured in aws/config file. And Pulumi can find the profile, so I do not think this is the issue. Also, forgot to mention, but awscli is working fine with the sso profile
f
So this works but Pulumi doesn't? @future-receptionist-60599
Copy code
aws --profile value-dev sts get-caller-identity
f
So, something weird just happened. I deleted all old configurations, and when I ran 
aws configure sso
and left the 
SSO session name
empy (as in the screenshot) it started working. Now both awscli and pulumi works. BUT If I try to destroy a already created stack created by manually creating a profile in `~/.aws/credentials`:
Copy code
[806232589401_AdministratorAccess]
aws_access_key_id=<access_key>
aws_secret_access_key=<secret_key>
aws_session_token=<session_token>
The destroy does not work with those profiles created with 
aws configure sso
, instead I get error:
Copy code
error: 1 error occurred:
        * error retrieving account details: AWS account ID not previously found and failed retrieving via all available methods. See <https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id> for workaround and implications. Errors: 3 errors occurred:
        * failed getting account information via iam:GetUser: operation error IAM: GetUser, https response error StatusCode: 403, RequestID: c8c05dfc-6d04-4fc4-a3f9-d61b3ca98aa1, api error ExpiredToken: The security token included in the request is expired
        * error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 0967fe21-111a-4608-90f7-51f42afd87a0, api error ExpiredToken: The security token included in the request is expired
        * failed getting account information via iam:ListRoles: operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: a28cce26-ac6d-464c-b10b-a411776f4878, api error ExpiredToken: The security token included in the request is expired
125 Views
Open in Slack
PreviousNext
Powered by

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Powered by