https://pulumi.com logo
Powered by
Title
a

average-table-75151

02/02/2023, 11:31 AM
AWS Provider settings help! Up until now we have used env vars to set and use the default AWS provider: 
export AWS_REGION=xx-xxx-x
export AWS_PROFILE=yyyyy
Now i am trying to use the Pulumi config instead of env vars, so i've added the following settings to the stack's pulumi config: 
config:
  aws:profile: yyyyy
  aws:region: xx-xxx-x
Now i am getting the following errors: 
error: unable to validate AWS credentials.
    Details: no valid credential sources for  found.
I tried to add 
skipCredentialsValidation: true
and 
skipMetadataApiCheck: false
but getting the same result. 
pulumi about
added in comments
➜ ~ pulumi about
CLI
Version 3.49.0
Go Version go1.19.3
Go Compiler gc

Plugins
NAME VERSION
aws 5.24.0
aws 5.24.0
cloudflare 3.6.0
cloudflare 3.3.0
datadog 3.3.0
datadog 3.3.0
docker 3.6.1
docker 3.0.0
kafka 3.4.0
kafka 3.0.1
kubernetes 3.6.0
kubernetes 3.6.0
mysql 3.1.0
mysql 3.0.0
nodejs unknown
okta 3.17.0
okta 3.0.0
pagerduty 2.2.0
pagerduty 2.1.1
postgresql 3.6.0
postgresql 3.6.0
rabbitmq 3.2.0
rabbitmq 3.0.0
random 4.10.0
random 4.2.0
spotinst 3.8.0
spotinst 3.8.0
tls 4.8.0
tls 4.0.0

Host
OS amazon
Version 2
Arch x86_64

This project is written in nodejs: executable='~/.nvm/versions/node/v14.21.0/bin/node' version='v14.21.0'
m

millions-furniture-75402

02/02/2023, 1:58 PM
Have you validated the credentials with the aws CLI? 
aws --profile my-profile sts get-caller-identity
a

average-table-75151

02/02/2023, 2:11 PM
@millions-furniture-75402 yes of course. Also it works if i put back the env vars.
m

millions-furniture-75402

02/02/2023, 2:11 PM
Where are you storing your state, the Pulumi cloud or s3?
a

average-table-75151

02/02/2023, 2:11 PM
Pulumi cloud
m

millions-furniture-75402

02/02/2023, 2:11 PM
Does your profile use MFA or SSO?
a

average-table-75151

02/02/2023, 2:12 PM
SSO
m

millions-furniture-75402

02/02/2023, 2:12 PM
What version of the aws provider are you using?
a

average-table-75151

02/02/2023, 2:12 PM
Again, it works with the exact same creds with the env vars
aws 5.24.0
m

millions-furniture-75402

02/02/2023, 2:13 PM
Can you share an example of your aws profile configuration?
Details: no valid credential sources for  found.
really odd that the profile name is blank in this message.
a

average-table-75151

02/02/2023, 2:15 PM
Sure: 
[my-profile]
aws_access_key_id = xxxxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxx
aws_session_token = xxxxxxxxxxxxxx
aws_security_token = xxxxxxxxxxxxxx
m

millions-furniture-75402

02/02/2023, 2:15 PM
I asked about MFA and SSO because the Pulumi AWS Provider (non-native, based on the terraform provider) lacks support for some of the AWS profile properties.
a

average-table-75151

02/02/2023, 2:16 PM
Oh i see. But then comes the question - what's the difference between using env vars and pulumi config for the provider?
m

millions-furniture-75402

02/02/2023, 2:17 PM
I suppose if there are other AWS_ variables in your environment, with the latest major AWS provider, the profile takes precedence over them.
Not sure that's what's going on here though
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade
Are you using aws-vault by chance?
a

average-table-75151

02/02/2023, 2:21 PM
Not using aws-vault
Also verified no other 
AWS_
env vars exists
m

millions-furniture-75402

02/02/2023, 2:27 PM
Why do you have 
aws_security_token
and 
aws_session_token
?
m

melodic-tomato-39005

02/02/2023, 4:24 PM
The env variables and the config should be exactly equivalent. The fact that setting 
skipCredentialsValidation
doesn’t do anything makes me wonder if the config is accidentally applied to a different stack than the program?
a

average-table-75151

02/02/2023, 6:29 PM
@melodic-tomato-39005 Not sure i understand that...
m

melodic-tomato-39005

02/02/2023, 6:57 PM
Does 
pulumi stack ls
show more than one stack? Each 
up
or 
config set
command only applies to a particular stack.
a

average-table-75151

02/02/2023, 7:04 PM
Oh no. In this case we have 1 stack for this project so definitely it applies correctly. I have also moved some more providers creds from env vars to pulumi config but only with AWS profile i had an issue.
m

melodic-tomato-39005

02/02/2023, 7:04 PM
This might actually be a bug then. A pretty bad one. Let me try to reproduce.
at least you have the env var workaround
a

average-table-75151

02/02/2023, 7:05 PM
That's true
m

millions-furniture-75402

02/02/2023, 9:35 PM
Have you tried removing the 
aws_security_token
from the profile?
3 Views
#awsJoin Slack
Powered by