little-cartoon-10569
03/07/2023, 10:04 PMregion: "ap-southeast-4" as Region
, but as soon as it's used in a resource, we're getting:
error: unable to validate AWS credentials.
Details: no valid credential sources for found.
Please see
for more information about providing credentials.
Error: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 36223ba0-c4c9-4a7c-b795-59636, api error InvalidClientTokenId: The security token included in the request is invalid
(Note the missing interpolated values in for found and _Please see _)melodic-tomato-39005
03/07/2023, 10:10 PMlittle-cartoon-10569
03/07/2023, 10:11 PMmelodic-tomato-39005
03/07/2023, 10:14 PMlittle-cartoon-10569
03/07/2023, 10:15 PMmelodic-tomato-39005
03/07/2023, 10:20 PMlittle-cartoon-10569
03/07/2023, 10:20 PMmelodic-tomato-39005
03/07/2023, 10:21 PMlittle-cartoon-10569
03/07/2023, 10:21 PMmelodic-tomato-39005
03/07/2023, 10:21 PMlittle-cartoon-10569
03/08/2023, 5:20 AMerror: unable to validate AWS credentials.
Details: no valid credential sources for Pulumi AWS Classic found.
Please see <https://www.pulumi.com/registry/packages/aws/installation-configuration/>
for more information about providing credentials.
Error: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 8f032d1e-8e86-4dc0-af5a-41f980b, api error InvalidClientTokenId: The security token included in the request is invalid
Make sure you have set your AWS region, e.g. `pulumi config set aws:region us-west-2`.
I don't know if it matters, but we're using MFA. I have just got a new session token, so that shouldn't be the problem? However, we're not assuming a role at any point (at least, not deliberately).melodic-tomato-39005
03/08/2023, 10:32 PMlittle-cartoon-10569
03/08/2023, 10:45 PMI have a theory that this is something to do with how default providers are resolved. Digging around the code for aws.Provider, it seems that if nothing is supplied for say region, it falls back to env variables. It probably first needs to fallback to the configured aws:region, and similarly for profile.This is something we can test.
melodic-tomato-39005
03/08/2023, 10:48 PMlittle-cartoon-10569
03/08/2023, 10:49 PMnew aws.Provider(`${resourceContainer}${"ap-southeast-2" == region ? "" : "-" + region}`, {
region: region,
profile: stackToAccountInfoMap.get(resourceContainer)!.profileName
melodic-tomato-39005
03/08/2023, 10:54 PMprofile
, I assume? which contains all information necessary for authentication?little-cartoon-10569
03/08/2023, 10:54 PMmelodic-tomato-39005
03/08/2023, 10:55 PMlittle-cartoon-10569
03/08/2023, 10:57 PMmelodic-tomato-39005
03/08/2023, 10:58 PMlittle-cartoon-10569
03/08/2023, 11:05 PMmelodic-tomato-39005
03/08/2023, 11:16 PM