AWS config in pulumi stack config is no longer respected

[shellicar]

Issue

Previously, aws config, including aws:accessKey, aws:region, and aws:secretKey were used from the Pulumi.{stack}.yaml file.
This no longer seems to be the case after what I can only guess was a dependency update.
It was working on
Even though pulumi itself was not updated, and no packages in the package.json (using TypeScript) were updated, a CICD build that used to work now no longer works with no changes. And using pulumi refresh no longer works locally.

I can't recommend or use a tool that can break when I haven't even updated anything myself.

Error Message

error: Preview failed: unable to discover AWS AccessKeyID and/or SecretAccessKey - see https://pulumi.io/install/aws.html for details on configuration

This page defined how to configure AWS credentials using the AWS CLI, which I am not using.

Config

This is the stack config I am using with sensitive info changed.

config:
  aws:accessKey: <accesskey>
  aws:region: <region>
  aws:secretKey:
    secure: <secret>

References

https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration

[pgavlin]

This is very surprising. What version of the pulumi CLI and @pulumi/pulumi-aws package were you using?

[stack72]

Hi @shellicar

So I have been looking at this right now. I have the following Pulumi code:

import * as aws from "@pulumi/aws";

const stack = aws.cloudformation.getStack({name: "Stack72Demo"});

export const name = stack.name;
export const templateBody = stack.templateBody;

I have the following Pulumi.dev.yaml

config:
  aws:accessKey:
    secure: AAABAG8kJDVPIHcROS5JsPycl4Fr0FfBeZjb5dlmyTCnCOL0pAXXkiSg+fFORAzjxaDuDQ==
  aws:region: us-west-2
  aws:secretKey:
    secure: AAABAPPfMoE16zO12UcF4d3I3xRAVl7QJAYfHuIkIMdUU17aUlHiKlmaRLU7KySfTpW7jQwm3yymx2k+Bu3P3SatMtHmoBHn

When I run Pulumi up, I get the following:

▶ pulumi up --yes
Previewing update (dev):

     Type                 Name              Plan
 +   pulumi:pulumi:Stack  get-cf-stack-dev  create

Resources:
    + 1 to create

Updating (dev):

     Type                 Name              Status
 +   pulumi:pulumi:Stack  get-cf-stack-dev  created

Outputs:
    name        : "Stack72Demo"
    templateBody: "{\"AWSTemplateFormatVersion\":\"2010-09-09\",\"Description\":\"AWS CloudFormation Sample Template SQS_With_CloudWatch_Alarms: Sample template showing how to create an SQS queue with AWS CloudWatch alarms on queue depth. **WARNING** This template creates an Amazon SQS Queue and one or more Amazon CloudWatch alarms. You will be billed for the AWS resources used if you create a stack from this template.\",\"Outputs\":{\"QueueARN\":{\"Description\":\"ARN of newly created SQS Queue\",\"Value\":{\"Fn::GetAtt\":[\"MyQueue\",\"Arn\"]}},\"QueueName\":{\"Description\":\"Name newly created SQS Queue\",\"Value\":{\"Fn::GetAtt\":[\"MyQueue\",\"QueueName\"]}},\"QueueURL\":{\"Description\":\"URL of newly created SQS Queue\",\"Value\":{\"Ref\":\"MyQueue\"}}},\"Parameters\":{\"AlarmEMail\":{\"AllowedPattern\":\"([a-zA-Z0-9_\\\\-\\\\.]+)@((\\\\[[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.)|(([a-zA-Z0-9\\\\-]+\\\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\\\]?)\",\"ConstraintDescription\":\"must be a valid email address.\",\"Description\":\"EMail address to notify if there are any operational issues\",\"Type\":\"String\"}},\"Resources\":{\"AlarmTopic\":{\"Properties\":{\"Subscription\":[{\"Endpoint\":{\"Ref\":\"AlarmEMail\"},\"Protocol\":\"email\"}]},\"Type\":\"AWS::SNS::Topic\"},\"MyQueue\":{\"Properties\":{},\"Type\":\"AWS::SQS::Queue\"},\"QueueDepthAlarm\":{\"Properties\":{\"AlarmActions\":[{\"Ref\":\"AlarmTopic\"}],\"AlarmDescription\":\"Alarm if queue depth grows beyond 10 messages\",\"ComparisonOperator\":\"GreaterThanThreshold\",\"Dimensions\":[{\"Name\":\"QueueName\",\"Value\":{\"Fn::GetAtt\":[\"MyQueue\",\"QueueName\"]}}],\"EvaluationPeriods\":\"1\",\"InsufficientDataActions\":[{\"Ref\":\"AlarmTopic\"}],\"MetricName\":\"ApproximateNumberOfMessagesVisible\",\"Namespace\":\"AWS/SQS\",\"Period\":\"300\",\"Statistic\":\"Sum\",\"Threshold\":\"10\"},\"Type\":\"AWS::CloudWatch::Alarm\"}}}"

Resources:
    + 1 created

Duration: 9s

Please note, I have no environment variables set for AWS - that would be the other way of the provider being configured:

▶ env | grep AWS_

Please can you try this again using the latest Pulumi AWS plugin and see if this is still a problem for you?

Thanks

Paul

[ron137]

I have the same problem here, "pulumi up" is working fine, but "pulumi refresh" is not.

[MvnTruong]

Sorry to bring up a 2-year old issue, but I am just encounting this exact issue today where pulumi up works fine, but pulumi refresh does not, with the same error message error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see https://pulumi.io/install/aws.html for details on configuration.

I have two stacks that have identical pulumi.X.yaml files. It can pick up the AWS creds for one stack but not the other

[ceefour]

I also get this issue.

This seems to be specific to some resources, notably:

• aws:ssm:Parameter

[amannm-apple]

same issue here, for some reason refresh locally works but not in CI

[ecmonsen]

Just encountered the exact same issue, where pulumi up works but pulumi refresh and pulumi import do not.

Update! Running pip install --upgrade pulumi-aws, which installed pulumi-aws-5.1.0, fixed it for my Pulumi python project.

[christopher-haueter]

I'm also experiencing this issue. pulumi refresh fails with

error: Preview failed: unable to discover AWS AccessKeyID and/or SecretAccessKey - see https://pulumi.io/install/aws.html for details on configuration

while other commands (e.g. pulumi up) complete successfully.

[stack72]

I believe this fixed with #2004 and will get released in this weeks release