https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# aws
s
This message was deleted.
m
Unfortunately, that might be a bug (see also). I’ll look into it today - apologies!
d
Ooh, might there be a pulumi version difference causing this between my machines?
m
I don’t fully understand it yet but it’s possible.
d
hmm 
v3.54.0
on both… so it’s not that
m
I think it’s a bug in the pulumi aws provider.
d
ahh ok—well please let me know if there’s anything I can do to help! I do have a set up where it works in one case but not in another and I’m not entirely sure why
m
Is the code the same in both cases?
d
Yeah, the code is identical
(happy to hop on a zoom or whatever if it’d be helpful! just let me know and I can find some time)
m
Hey @dry-journalist-60579, I dug into this and other authentication issues in aws a bit, but couldn’t repro the problem. I suspect there is some local state that messes with things on your machine, since it works in the clean gitpod environment. Could you double-check things like environment variables, default aws profile etc., if you haven’t already?
d
I tried to ensure versions of python and pulumi and awscli are all the same… I’ll check 
env
~/.aws/config
files are identical
Oooh ok, wow, I just disabled my local littlesntich network filter and it was able to run
I can’t seem to figure out why having little snitch on causes this issue as I don’t have any restrictions on these hosts/ports
m
Interesting! It matches the i/o timeout of the error message. Thanks for updating us!
d
No problem, sorry for the false alarm! I am wonder what the interaction is here though… I may have to email Little Snitch support because there doesn’t seem to be any preference related to this
None of the Provider Boolean arguments seem to affect the behavior either
BTW, I did notice another issue with SSO-based AWS cli profiles, similar to this issue with VS Code: https://github.com/aws/aws-toolkit-vscode/issues/3009 Newer versions of the CLI seem to follow a different format for how settings are stored in ~/.aws/config. Rather than just a 
[profile xxx]
section there is also a 
[sso-session xxx]
section. The way the cli sets this up just doesn’t seem to work with 
pulumi up
. Rather, I have to manually go in and make sure it’s in the “legacy” format. This is the error:
Copy code
Exception: invoke of aws:iam/getRole:getRole failed: invocation of aws:iam/getRole:getRole returned an error: unable to validate AWS credentials.
    Details: loading configuration: profile "<profile-name>" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
E.g. this works:
Copy code
[profile <profile-name>]
sso_start_url = https://<subdomain>.<http://awsapps.com/start|awsapps.com/start>
sso_region = <region>
sso_account_id = <account-id>
sso_role_name = AWSAdmini<role-name>stratorAccess
region = <region>
output = json
and this doesn’t work:
Copy code
[profile <profile-name>]
sso_session = <session-name>
sso_account_id = <account-id>
sso_role_name = <role-name>
region = <region>
output = json

[sso-session <session-name>]
sso_start_url = https://<subdomain>.<http://awsapps.com/start|awsapps.com/start>
sso_region = <region>
sso_registration_scopes = sso:account:access
b
@dry-journalist-60579 we don’t support the sso-session configuration yet. See https://github.com/pulumi/pulumi-aws/issues/2272
d
ah, thank you, @billowy-army-68599. For what it’s worth, editing the 
~/.aws/config
manually yields a configuration that works without needing something like https://github.com/jaxxstorm/aws-sso-creds
But that utility you built is nifty 🙂 I like it
Copy code
eval $(aws-sso-creds export)
Does it support something like:
Copy code
AWS_PROFILE=my-profile aws-sso-creds pulumi up
b
it has a 
-p
flag - i haven’t considered creating an execution mechanism, but that’s an interesting idea
d
might be nice to have it just be a one-line wrapper to avoid needing to export any ENV vars in the current terminal session
a
What can be the solution of this problem?
d
Hmm what do you mean?
a
@dry-journalist-60579 I am having this issue also with s3 bucket. It gives the similar issue of no aws credentials found with pulumi version 3.64.0. Did you able to find the solution of this issue?
d
What’s the error you’re getting?
a
Copy code
error: Preview failed: unable to validate AWS credentials.
    Details: no valid credential sources for Pulumi AWS Classic found.
When I do this, everything works fine: 
AWS_PROFILE=my-profile pulumi up
But when I try to do pulumi up only it gives me this error
d
Is it a problem that you need to specify your profile?
a
Yes
But how can I specify this in code, I am setting aws::profile in pulumi yaml file
d
Hmm I have a bit of a different set up now. We’re using aws-so-util and awsume to manage our AWS credentials locally
So doing that I’m able to just run pulumi up
a
Are you using this package in your github pipelines also?
d
I’m using Pulumi Deployments for CI/CD
And have a aws role the pulumi deployment executor assumes
6 Views
Open in Slack
PreviousNext
Powered by