https://pulumi.com logo
Title
b

bitter-painter-79520

02/15/2023, 11:08 AM
Hi all, I'm trying to correlate an error in Pulumi with AWS CloudTrail logs. The error doesn't show up under the username it should, so I'm trying to find something by time. Is there a way to get timestamps into the Pulumi console output?
b

billowy-army-68599

02/15/2023, 2:08 PM
Time stamps for what? Resources? We are in the process of adding these
b

bitter-painter-79520

02/15/2023, 2:10 PM
Hi Jaxxstorm, thanks for replying. Basically anything I get in the Pulumi console output. I want to see when a 403 has happened so that I can limit the CloudTrail messages to a smaller time frame while digging through everything.
I'm currently trying to create an S3 bucket with Pulumi and I'm running into a 403 permission problem, but CloudTrail doesn't show the error under the pipeline user that's supposed to run Pulumi.
b

billowy-army-68599

02/15/2023, 2:11 PM
We don’t store the api call result in state, and the 403 comes from the api. What’s the exact error?
b

bitter-painter-79520

02/15/2023, 2:13 PM
error: 1 error occurred:
	* creating urn:pulumi:qa::…::aws:s3/bucket:Bucket::…: 1 error occurred:
	* error reading S3 Bucket (…-8efa1d8): Forbidden: Forbidden
	status code: 403, request id: …, host id: …
The CloudTrail logs have no error for the user running Pullumi. There's also no message with the request id I get back from Pulumi.
And I haven't found a good way to query CloudTrail by request id through the CLI.
My Pulumi code looks like this:
const s3BucketForLargeMails = new aws.s3.Bucket("…", {
  arn: "private",
  tags: {
    "component": "…",
  }
})
Is there a way to figure out the IAM permissions I need for this operation?
b

billowy-army-68599

02/15/2023, 2:34 PM
arn: "private",
This doesn’t look correct, you can’t specify the arn of a bucket
b

bitter-painter-79520

02/15/2023, 3:20 PM
I found this in one of the examples on your homepage, let me cross-check 🤦 No, I didn't, it was supposed to say
acl
.
No, that wasn't it though.
I'm still running into the same problem.
What's even stranger is that I see logs for
CreateBucket
being successful in CloudTrail
Resources:
    + 15 to create
    ~ 1 to update
    16 changes. 5 unchanged
Updating (qa):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:qa::…::pulumi:pulumi:Stack::...]
    ~ aws:s3/bucket:Bucket: (update)
        [id=…-654a382]
        [urn=urn:pulumi:qa::…::aws:s3/bucket:Bucket::...]
        [provider=urn:pulumi:qa::…::pulumi:providers:aws::default_5_26_0::74d005a3-ff4e-4d41-9e2e-2b0456e8acb5]
        acl         : "private"
      - arn         : "private"
        bucket      : "…-654a382"
        forceDestroy: false
        tags        : {
            component : "…"
        }
error: 1 error occurred:
	* updating urn:pulumi:qa::…::aws:s3/bucket:Bucket::…: 1 error occurred:
	* error reading S3 Bucket (…-654a382): Forbidden: Forbidden
	status code: 403, request id: 4V3G5FTC8DP7E552, host id: …
error: update failed
Resources:
    5 unchanged
Duration: 3s
Is there a way to figure out the IAM permissions I need for this operation?
b

billowy-army-68599

02/15/2023, 5:21 PM
run iamlive in a separate terminal and set these env vars before running pulumi
export AWS_CSM_ENABLED=true
export AWS_CSM_PORT=31000
export AWS_CSM_HOST=127.0.0.1
b

bitter-painter-79520

02/15/2023, 5:53 PM
Thank you. I'll try that tomorrow.
Thank you so much for suggesting iamlive. That helped me resolve my issue. 👍
I'm still confused the actions didn't show up under the gitlab user in CloudTrail. Pulumi doesn't have any other credentials than that ones I've configured, so that remains a mystery 🤔