Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
b
bitter-painter-79520
02/15/2023, 11:08 AMHi all, I'm trying to correlate an error in Pulumi with AWS CloudTrail logs. The error doesn't show up under the username it should, so I'm trying to find something by time. Is there a way to get timestamps into the Pulumi console output?
b
billowy-army-68599
02/15/2023, 2:08 PMTime stamps for what? Resources? We are in the process of adding these
b
bitter-painter-79520
02/15/2023, 2:10 PMHi Jaxxstorm, thanks for replying. Basically anything I get in the Pulumi console output. I want to see when a 403 has happened so that I can limit the CloudTrail messages to a smaller time frame while digging through everything.
I'm currently trying to create an S3 bucket with Pulumi and I'm running into a 403 permission problem, but CloudTrail doesn't show the error under the pipeline user that's supposed to run Pulumi.
b
billowy-army-68599
02/15/2023, 2:11 PMWe don’t store the api call result in state, and the 403 comes from the api. What’s the exact error?
b
bitter-painter-79520
02/15/2023, 2:13 PMerror: 1 error occurred:
* creating urn:pulumi:qa::…::aws:s3/bucket:Bucket::…: 1 error occurred:
* error reading S3 Bucket (…-8efa1d8): Forbidden: Forbidden
status code: 403, request id: …, host id: …And I haven't found a good way to query CloudTrail by request id through the CLI.
My Pulumi code looks like this:
const s3BucketForLargeMails = new aws.s3.Bucket("…", {
arn: "private",
tags: {
"component": "…",
}
})Is there a way to figure out the IAM permissions I need for this operation?
b
billowy-army-68599
02/15/2023, 2:34 PMarn: "private",b
bitter-painter-79520
02/15/2023, 3:20 PMaclNo, that wasn't it though.
I'm still running into the same problem.
What's even stranger is that I see logs for
CreateBucketResources:
+ 15 to create
~ 1 to update
16 changes. 5 unchanged
Updating (qa):
pulumi:pulumi:Stack: (same)
[urn=urn:pulumi:qa::…::pulumi:pulumi:Stack::...]
~ aws:s3/bucket:Bucket: (update)
[id=…-654a382]
[urn=urn:pulumi:qa::…::aws:s3/bucket:Bucket::...]
[provider=urn:pulumi:qa::…::pulumi:providers:aws::default_5_26_0::74d005a3-ff4e-4d41-9e2e-2b0456e8acb5]
acl : "private"
- arn : "private"
bucket : "…-654a382"
forceDestroy: false
tags : {
component : "…"
}
error: 1 error occurred:
* updating urn:pulumi:qa::…::aws:s3/bucket:Bucket::…: 1 error occurred:
* error reading S3 Bucket (…-654a382): Forbidden: Forbidden
status code: 403, request id: 4V3G5FTC8DP7E552, host id: …
error: update failed
Resources:
5 unchanged
Duration: 3sIs there a way to figure out the IAM permissions I need for this operation?
b
billowy-army-68599
02/15/2023, 5:21 PMrun iamlive in a separate terminal and set these env vars before running pulumi
export AWS_CSM_ENABLED=true
export AWS_CSM_PORT=31000
export AWS_CSM_HOST=127.0.0.1b
bitter-painter-79520
02/15/2023, 5:53 PMThank you. I'll try that tomorrow.
Thank you so much for suggesting iamlive. That helped me resolve my issue. 👍
I'm still confused the actions didn't show up under the gitlab user in CloudTrail. Pulumi doesn't have any other credentials than that ones I've configured, so that remains a mystery 🤔