AWS_PROFILE not working, commands failing

[bombillazo]

What happened?

In pulumi-aws v5+, if the provider profile is specified by the config, it is now required to set the AWS_ACCESS_KEY and AWS_SECRET_KEY for that specific profile. Previously if there were no credentials, Terraform would fall back on the credentials found in the environment.

GH Issue
Terraform Provider Update

Given this, I am attempting to pass AWS_PROFILE as an env parameter to the actions as recommended here. However, this does not work and there is no way to relate the credentials to the was profile so Pulumi does not fail the command.

Steps to reproduce

1. Have an AWS profile set up in your aws provider.

- name: Pulumi preview
        uses: pulumi/actions@v3
        with:
          command: preview
          stack-name: myStack
        env:
          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
          AWS_PROFILE: ${{ env.AWS_PROFILE }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_REGION: ${{ env.AWS_REGION }}

Expected Behavior

Actions can use the credentials set in the CI/CD process to the profile passed in the actions automatically. Command runs successfully.

Actual Behavior

Commands fail with the following error:

error configuring Terraform AWS Provider: failed to get shared config profile, my-profile

Versions used

@pulumi/aws 5.4.0
@pulumi/awsx 0.40.0
@pulumi/pulumi 3.32.1
@pulumi/random 4.6.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[jkisk]

Sorry for the confusion here, I believe you want to use a different action in a previous step, like: https://github.com/aws-actions/configure-aws-credentials, rather than passing aws creds via the env of the pulumi action.

[ringods]

@jkisk I think this is unrelated to Github Actions. On my laptop, I'm using export AWS_PROFILE=atriso to point to the correct sections in the following files:

~/.aws/config

[profile atriso]
region=eu-west-1
output=json

~/.aws/credentials

[atriso]
aws_access_key_id=<mykey>
aws_secret_access_key=<mysecret>

Only exporting AWS_PROFILE works when using the AWS CLI. For instance, aws iam list-users returns me the actual list of users I have in my AWS account.

With Pulumi, this worked when using pulumi-aws v3. This morning, I upgraded to pulumi-aws v5 and I get the error:

$ pulumi preview
Previewing update (production)

View Live: https://app.pulumi.com/<redacted>

     Type                 Name             Plan     Info
     pulumi:pulumi:Stack  root-production           
     └─ aws:iam:User      github-user               1 error
 
Diagnostics:
  aws:iam:User (github-user):
    error: unable to validate AWS AccessKeyID and/or SecretAccessKey - see https://pulumi.io/install/aws.html for details on configuration

This is clearly a regression. Probably in the upstream TF provider?

[danielrbradley]

One recent change is that we've started pre-validating credentials up-front rather than waiting for a resource to fail to deploy. One workaround is to set skipCredentialsValidation: true which will skip this step. However, there's also an additional change which should be released in the next hour (v5.7.1) which should address some issues in this credentials validation process.

[ringods]

This seems to be a duplicate of #1995

[stack72]

I believe this is fixed via #2004 and will go out into production with the new release this week