This message was deleted.
# general
s
This message was deleted.
1
b
Time stamps for what? Resources? We are in the process of adding these
b
Hi Jaxxstorm, thanks for replying. Basically anything I get in the Pulumi console output. I want to see when a 403 has happened so that I can limit the CloudTrail messages to a smaller time frame while digging through everything.
I'm currently trying to create an S3 bucket with Pulumi and I'm running into a 403 permission problem, but CloudTrail doesn't show the error under the pipeline user that's supposed to run Pulumi.
b
We don’t store the api call result in state, and the 403 comes from the api. What’s the exact error?
b
Copy code
error: 1 error occurred:
	* creating urn:pulumi:qa::…::aws:s3/bucket:Bucket::…: 1 error occurred:
	* error reading S3 Bucket (…-8efa1d8): Forbidden: Forbidden
	status code: 403, request id: …, host id: …
The CloudTrail logs have no error for the user running Pullumi. There's also no message with the request id I get back from Pulumi.
And I haven't found a good way to query CloudTrail by request id through the CLI.
My Pulumi code looks like this:
Copy code
const s3BucketForLargeMails = new aws.s3.Bucket("…", {
  arn: "private",
  tags: {
    "component": "…",
  }
})
Is there a way to figure out the IAM permissions I need for this operation?
b
Copy code
arn: "private",
This doesn’t look correct, you can’t specify the arn of a bucket
b
I found this in one of the examples on your homepage, let me cross-check 🤦 No, I didn't, it was supposed to say
acl
.
No, that wasn't it though.
I'm still running into the same problem.
What's even stranger is that I see logs for
CreateBucket
being successful in CloudTrail
Copy code
Resources:
    + 15 to create
    ~ 1 to update
    16 changes. 5 unchanged
Updating (qa):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:qa::…::pulumi:pulumi:Stack::...]
    ~ aws:s3/bucket:Bucket: (update)
        [id=…-654a382]
        [urn=urn:pulumi:qa::…::aws:s3/bucket:Bucket::...]
        [provider=urn:pulumi:qa::…::pulumi:providers:aws::default_5_26_0::74d005a3-ff4e-4d41-9e2e-2b0456e8acb5]
        acl         : "private"
      - arn         : "private"
        bucket      : "…-654a382"
        forceDestroy: false
        tags        : {
            component : "…"
        }
error: 1 error occurred:
	* updating urn:pulumi:qa::…::aws:s3/bucket:Bucket::…: 1 error occurred:
	* error reading S3 Bucket (…-654a382): Forbidden: Forbidden
	status code: 403, request id: 4V3G5FTC8DP7E552, host id: …
error: update failed
Resources:
    5 unchanged
Duration: 3s
Is there a way to figure out the IAM permissions I need for this operation?
b
run iamlive in a separate terminal and set these env vars before running pulumi
Copy code
export AWS_CSM_ENABLED=true
export AWS_CSM_PORT=31000
export AWS_CSM_HOST=127.0.0.1
b
Thank you. I'll try that tomorrow.
Thank you so much for suggesting iamlive. That helped me resolve my issue. 👍
I'm still confused the actions didn't show up under the gitlab user in CloudTrail. Pulumi doesn't have any other credentials than that ones I've configured, so that remains a mystery 🤔