Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
d
dry-journalist-60579
02/13/2023, 4:03 PMSoo I’ve been pulling my hair out over this. I wanted to build a stack to implement a set of password policies across all the accounts in my org. I set up the accounts using ControlTower so there are a standard set of Roles, etc. that come “out of the box.”
I’m using an assumed role in the
Pulumi.yamlaws:assumeRole: '{"roleArn": "arn:aws:iam::xxx:role/service-role/AWSControlTowerAdmin"}'organization = aws.organizations.get_organization()organization.accountsrole_arn = pulumi.Output.format(
"arn:aws:iam::{0}:role/AWSControlTowerExecution", account.id
)
# Create Provider to assume role
provider = aws.Provider(
f"Provider: {account.name}",
assume_role={
"roleArn": role_arn,
},
)aws configure ssoAWS_PROFILE=my-profile pulumi previewType Name Plan Info
+ pulumi:pulumi:Stack aws-admin-stack-aws-admin create
+ ├─ aws:iam:AccountPasswordPolicy AccountPasswordPolicy: management account create
+ ├─ aws:iam:Policy AllowSSOAdminsToAssumeAWSControlTowerAdmin create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ pulumi:providers:aws Provider: xxx create
+ ├─ aws:iam:RolePolicyAttachment AllowSSOAdminsToAssumeAWSControlTowerAdminAttachment create
└─ aws:iam:AccountPasswordPolicy AccountPasswordPolicy: xxx 1 error
error: unable to validate AWS credentials.
Details: no valid credential sources for found.
Please see
for more information about providing credentials.
Error: failed to refresh cached credentials, operation error SSO: GetRoleCredentials, https response error StatusCode: 0, RequestID: , request send failed, Get "<https://portal.sso.us-east-1.amazonaws.com/federation/credentials?account_id=xxx&role_name=AWSAdministratorAccess>": dial tcp: lookup <http://portal.sso.us-east-1.amazonaws.com|portal.sso.us-east-1.amazonaws.com> on 192.168.1.1:53: read udp 192.168.1.104:61325->192.168.1.1:53: i/o timeout≈m
melodic-tomato-39005
02/13/2023, 5:27 PMUnfortunately, that might be a bug (see also). I’ll look into it today - apologies!
d
dry-journalist-60579
02/13/2023, 5:38 PMOoh, might there be a pulumi version difference causing this between my machines?
m
melodic-tomato-39005
02/13/2023, 5:39 PMI don’t fully understand it yet but it’s possible.
d
dry-journalist-60579
02/13/2023, 5:40 PMhmm
v3.54.0m
melodic-tomato-39005
02/13/2023, 5:40 PMI think it’s a bug in the pulumi aws provider.
d
dry-journalist-60579
02/13/2023, 5:41 PMahh ok—well please let me know if there’s anything I can do to help! I do have a set up where it works in one case but not in another and I’m not entirely sure why
m
melodic-tomato-39005
02/13/2023, 5:41 PMIs the code the same in both cases?
d
dry-journalist-60579
02/13/2023, 6:37 PMYeah, the code is identical
(happy to hop on a zoom or whatever if it’d be helpful! just let me know and I can find some time)
m
melodic-tomato-39005
02/13/2023, 10:39 PMHey @dry-journalist-60579, I dug into this and other authentication issues in aws a bit, but couldn’t repro the problem. I suspect there is some local state that messes with things on your machine, since it works in the clean gitpod environment. Could you double-check things like environment variables, default aws profile etc., if you haven’t already?
d
dry-journalist-60579
02/14/2023, 12:05 AMI tried to ensure versions of python and pulumi and awscli are all the same… I’ll check
env~/.aws/configOooh ok, wow, I just disabled my local littlesntich network filter and it was able to run
I can’t seem to figure out why having little snitch on causes this issue as I don’t have any restrictions on these hosts/ports
m
melodic-tomato-39005
02/14/2023, 3:11 AMInteresting! It matches the i/o timeout of the error message. Thanks for updating us!
d
dry-journalist-60579
02/14/2023, 4:23 AMNo problem, sorry for the false alarm! I am wonder what the interaction is here though… I may have to email Little Snitch support because there doesn’t seem to be any preference related to this
None of the Provider Boolean arguments seem to affect the behavior either
BTW, I did notice another issue with SSO-based AWS cli profiles, similar to this issue with VS Code: https://github.com/aws/aws-toolkit-vscode/issues/3009
Newer versions of the CLI seem to follow a different format for how settings are stored in ~/.aws/config. Rather than just a
[profile xxx][sso-session xxx]pulumi upException: invoke of aws:iam/getRole:getRole failed: invocation of aws:iam/getRole:getRole returned an error: unable to validate AWS credentials.
Details: loading configuration: profile "<profile-name>" is configured to use SSO but is missing required configuration: sso_region, sso_start_url[profile <profile-name>]
sso_start_url = https://<subdomain>.<http://awsapps.com/start|awsapps.com/start>
sso_region = <region>
sso_account_id = <account-id>
sso_role_name = AWSAdmini<role-name>stratorAccess
region = <region>
output = json[profile <profile-name>]
sso_session = <session-name>
sso_account_id = <account-id>
sso_role_name = <role-name>
region = <region>
output = json
[sso-session <session-name>]
sso_start_url = https://<subdomain>.<http://awsapps.com/start|awsapps.com/start>
sso_region = <region>
sso_registration_scopes = sso:account:accessb
billowy-army-68599
02/14/2023, 2:36 PM@dry-journalist-60579 we don’t support the sso-session configuration yet. See https://github.com/pulumi/pulumi-aws/issues/2272
d
dry-journalist-60579
02/14/2023, 3:29 PMah, thank you, @billowy-army-68599. For what it’s worth, editing the
~/.aws/configBut that utility you built is nifty 🙂 I like it
eval $(aws-sso-creds export)AWS_PROFILE=my-profile aws-sso-creds pulumi upb
billowy-army-68599
02/14/2023, 3:33 PMit has a
-pd
dry-journalist-60579
02/14/2023, 3:47 PMmight be nice to have it just be a one-line wrapper to avoid needing to export any ENV vars in the current terminal session
a
alert-cartoon-12389
04/26/2023, 11:43 PMWhat can be the solution of this problem?
d
dry-journalist-60579
04/26/2023, 11:49 PMHmm what do you mean?
a
alert-cartoon-12389
04/26/2023, 11:51 PM@dry-journalist-60579 I am having this issue also with s3 bucket. It gives the similar issue of no aws credentials found with pulumi version 3.64.0. Did you able to find the solution of this issue?
d
dry-journalist-60579
04/26/2023, 11:52 PMWhat’s the error you’re getting?
a
alert-cartoon-12389
04/26/2023, 11:53 PMerror: Preview failed: unable to validate AWS credentials.
Details: no valid credential sources for Pulumi AWS Classic found.When I do this, everything works fine:
AWS_PROFILE=my-profile pulumi upd
dry-journalist-60579
04/26/2023, 11:55 PMIs it a problem that you need to specify your profile?
a
alert-cartoon-12389
04/26/2023, 11:57 PMYes
But how can I specify this in code, I am setting aws::profile in pulumi yaml file
d
dry-journalist-60579
04/26/2023, 11:59 PMHmm I have a bit of a different set up now. We’re using aws-so-util and awsume to manage our AWS credentials locally
So doing that I’m able to just run pulumi up
a
alert-cartoon-12389
04/27/2023, 12:00 AMAre you using this package in your github pipelines also?
d
dry-journalist-60579
04/27/2023, 12:00 AMI’m using Pulumi Deployments for CI/CD
And have a aws role the pulumi deployment executor assumes