Ensure we validate credentials correctly

[stack72]

Fixes: #1995

Currently the creds validation is broken:

New code:

With AWS_PROFILE:

With default creds:

With Environment Vars for AWS_ACCESS_KEY_ID && AWS_SECRET_ACCESS_KEY

Using an AWS AssumeRole:

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

[michaeldop]

How do I run pulumi with the aws provider from an ec2 instance using an instance role? This no longer works now

[stack72]

Hi @mdop-wh

Please can you tell me a few things here:

1. What was the version you upgraded from?
2. Do you have a config value for aws:skipMetadataApiCheck false - as per https://github.com/pulumi/pulumi-aws#authenticating-pulumi-aws-via-ec2-instance-metadata

Thanks! I want to ensure there is no regression here

Paul

[michaeldop]

Hi @stack72

1. We upgraded from 5.4.0 -> 5.9.1
   5.8.0 also worked on a different project
2. Yes we have had the skipMetadataApiCheck set to false for a while now

I just found out that 5.9.1 does work when I set aws:skipCredentialsValidation: true. So maybe this is required now?

[christophermaier]

We're hitting the exact same thing as @mdop-wh is (literally word-for-word 😅)

Reading the code in this PR, I'm surprised to see that the default value of aws:skipCredentialsValidation before was true... I'm not clear why having this value set to false is failing in AWS, particularly since we use the STS service to get credentials to use in the first place. Is there some specific IAM permission (or some other configuration) that is needed for validation to occur that I'm missing?