pulumi-aws: Cannot authenticate on AWS using switchrole
Hello,
I’m trying to bootstrap my first pulumi project but I’m encountering an issue with the supported authentication method on AWS.
If I’m using a profile in which my credentials are defined ( with aws_access_key_id and aws_secret_access_key ), it works like a charm. But that’s not how we work in my company, we have a source account and we’re using switchrole to jump from that source account to all other accouts ( this is standard AWS procedure when you’re dealing with multiple accounts ).
Here’s the look of my profiles in ~/.aws/config :
[profile myprofile]
role_arn = arn:aws:iam::<AWS destination account id>:role/<the role I'm going to impersonate>
mfa_serial = arn:aws:iam::<source AWS account ID>:mfa/<IAM User name on the source account>
source_profile = <the profile name in which my keys are defined for my source account>
Now when I’m using one of those profile, it fails :
$ AWS_PROFILE=myprofile pulumi update
Previewing update of stack 'prod'
Previewing changes:
Type Name Plan Info
* global global no change 1 error
+ └─ pulumi:pulumi:Stack first-pulumi-prod create
Diagnostics:
global: global
error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see https://pulumi.io/install/aws.html for details on configuration
error: an error occurred while advancing the preview
When using the same command line with my source profile ( the one with the keys ), I have the expected result :
Type Name Plan Info
+ pulumi:pulumi:Stack first-pulumi-prod create
+ └─ aws:s3:Bucket my-bucket create
info: 2 changes previewed:
+ 2 resources to create
Do you want to perform this update?
yes
> no
details
Is there any configuration I’m missing or is it not possible for the moment to use an AWS profile with switchrole ?
Thanks
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 7
- Comments: 26 (12 by maintainers)
Commits related to this issue
- Fixed bug, where assume-role was not working properly (#252) — committed to mi5guided/pulumi-aws by mi5guided 5 years ago
- Fixed bug, where assume-role was not working properly (#252) — committed to pulumi/pulumi-aws by mi5guided 5 years ago
- Map AWS_PROFILE to profile in AWS configuration This is the other part of fixing #252. — committed to pulumi/pulumi-aws by jen20 5 years ago
- Map AWS_PROFILE to profile in AWS configuration This is the other part of fixing #252. — committed to pulumi/pulumi-aws by jen20 5 years ago
- Read all AWS env vars For both programmatic access, and for pre configuration, we must read in all the appropriate env vars. Fixes #252 — committed to pulumi/pulumi-aws by lukehoban 4 years ago
- Read all AWS env vars For both programmatic access, and for pre configuration, we must read in all the appropriate env vars. Fixes #252 — committed to pulumi/pulumi-aws by lukehoban 4 years ago
- Read all AWS env vars For both programmatic access, and for pre configuration, we must read in all the appropriate env vars. Fixes #252 — committed to pulumi/pulumi-aws by lukehoban 4 years ago
- Read all AWS env vars For both programmatic access, and for pre configuration, we must read in all the appropriate env vars. Fixes #252 — committed to pulumi/pulumi-aws by lukehoban 4 years ago
- Read all AWS env vars (#874) For both programmatic access, and for pre configuration, we must read in all the appropriate env vars. Fixes #252 — committed to pulumi/pulumi-aws by lukehoban 4 years ago
~/.aws/credentials is populated with account profiles like this
Have tried setting env var for
export AWS_PROFILE=profile-adminto this as well as settingpulumi config set aws:profile profile-adminindividually and separately and get the error posted in prior message.The only way I’ve been able to get anything to work is to set all three ENV variables:
while this is feasible for a POC it is not very scalable. I would have expected the recommended settings of the ENV variable pulumi config setting to work fully on their own.
We use OneLogin to authenticate SSO and create sessions with temporary keys so the three tokens would have to be changed every time you setup a new session.
My environment is Ubuntu on WSL, have setup and used terraform with AWS profiles and can use profiles directly from python using boto3.setup_default_session calls.
If there is more detail you’d like please let me know and will try to specify
With the setup below - things work.
In
~/.aws/credentials:In
~/.aws/config:In
Pulumi.<stack>.yaml:Results:
However, if I remove the
aws:profilesetting and instead set theAWS_PROFILEenv var I can reproduce:I presume that provides a workaround for anyone hitting this (use
pulumi config set aws:profile <profile>), though we should also fix theAWS_PROFILEenv var support.Are there any other configurations folks have that are also hitting this error?
@joeduffy I had the same problem and after reading your comment I just created a new aws profile for pulumi and copied the remaining lines from the source profile into it. Then it worked. Thanks!
Also keep in mind that the other issue #584 leaves the impression that it does not work at all with MFA tokens.
We use
AssumeRoleas well. I’d like to cast my vote for supporting theaws:profileconfiguration setting.@geof2001 would love anymore details you can share on your setup. The usage pattern you describe is definitely supported in general, and used by many/most Pulumi users on AWS - so I expect there is some other more subtle twist on the scenario in your environment. Without sharing any sensitive data - can you share details of how you have your profile configured?
Can you try setting
AWS_SDK_LOAD_CONFIG=1in addition to settingAWS_PROFILE? The underlying provider uses the AWS GO SDK and it does not read~/.aws/configby default. I would be interested in knowing it that works.If it does, I wonder if this is just something we should be setting ourselves in some cases, as this is surprising behavior.