pulumi-aws
pulumi-aws copied to clipboard
pulumi
AWS_SKIP_CREDENTIALS_VALIDATION doesn't work
What happened?
When running various combinations of AWS_SKIP_CREDENTIALS_VALIDATION=1 pulumi preview, AWS_SKIP_CREDENTIALS_VALIDATION=true pulumi preview and for fun AWS_SKIP_CREDENTIALS_VALIDATION=false pulumi preview
pulumi still tries looking for AWS credentials
Example
mkdir skip-cred cd skip-cred pulumi new aws-python This command will walk you through creating a new Pulumi project.
Enter a value or leave blank to accept the (default), and press <ENTER>. Press ^C at any time to quit.
project name (skip-cred): testtesttest project description (A minimal AWS Python Pulumi program): asldfhas Created project 'testtesttest'
Please enter your desired stack name.
To create a stack in an organization, use the format acmecorp/dev).
stack name (dev): dev-amy-amy
Created stack 'dev-amy-amy'
aws:region: The AWS region to deploy into (us-east-1): Saved config
Installing dependencies...
Creating virtual environment... Finished creating virtual environment Updating pip, setuptools, and wheel in virtual environment... Requirement already satisfied: pip in ./venv/lib/python3.9/site-packages (21.2.4) Collecting pip Using cached pip-24.0-py3-none-any.whl (2.1 MB) Requirement already satisfied: setuptools in ./venv/lib/python3.9/site-packages (58.0.4) Collecting setuptools Downloading setuptools-70.0.0-py3-none-any.whl (863 kB) |████████████████████████████████| 863 kB 3.9 MB/s Collecting wheel Using cached wheel-0.43.0-py3-none-any.whl (65 kB) Installing collected packages: wheel, setuptools, pip Attempting uninstall: setuptools Found existing installation: setuptools 58.0.4 Uninstalling setuptools-58.0.4: Successfully uninstalled setuptools-58.0.4 Attempting uninstall: pip Found existing installation: pip 21.2.4 Uninstalling pip-21.2.4: Successfully uninstalled pip-21.2.4 Successfully installed pip-24.0 setuptools-70.0.0 wheel-0.43.0 Finished updating Installing dependencies in virtual environment... Collecting pulumi<4.0.0,>=3.0.0 (from -r requirements.txt (line 1)) Using cached pulumi-3.116.1-py3-none-any.whl.metadata (11 kB) Collecting pulumi-aws<7.0.0,>=6.0.2 (from -r requirements.txt (line 2)) Downloading pulumi_aws-6.37.0-py3-none-any.whl.metadata (9.4 kB) Collecting protobuf~=4.21 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached protobuf-4.25.3-cp37-abi3-macosx_10_9_universal2.whl.metadata (541 bytes) Collecting grpcio~=1.60.1 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached grpcio-1.60.1-cp39-cp39-macosx_10_10_universal2.whl.metadata (4.0 kB) Collecting dill~=0.3 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached dill-0.3.8-py3-none-any.whl.metadata (10 kB) Collecting six~=1.12 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached six-1.16.0-py2.py3-none-any.whl.metadata (1.8 kB) Collecting semver~=2.13 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached semver-2.13.0-py2.py3-none-any.whl.metadata (5.0 kB) Collecting pyyaml~=6.0 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached PyYAML-6.0.1-cp39-cp39-macosx_11_0_arm64.whl.metadata (2.1 kB) Collecting parver>=0.2.1 (from pulumi-aws<7.0.0,>=6.0.2->-r requirements.txt (line 2)) Using cached parver-0.5-py3-none-any.whl.metadata (2.7 kB) Collecting arpeggio>=1.7 (from parver>=0.2.1->pulumi-aws<7.0.0,>=6.0.2->-r requirements.txt (line 2)) Using cached Arpeggio-2.0.2-py2.py3-none-any.whl.metadata (2.4 kB) Collecting attrs>=19.2 (from parver>=0.2.1->pulumi-aws<7.0.0,>=6.0.2->-r requirements.txt (line 2)) Using cached attrs-23.2.0-py3-none-any.whl.metadata (9.5 kB) Collecting typing-extensions (from parver>=0.2.1->pulumi-aws<7.0.0,>=6.0.2->-r requirements.txt (line 2)) Using cached typing_extensions-4.11.0-py3-none-any.whl.metadata (3.0 kB) Using cached pulumi-3.116.1-py3-none-any.whl (258 kB) Downloading pulumi_aws-6.37.0-py3-none-any.whl (8.7 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 8.7/8.7 MB 27.1 MB/s eta 0:00:00 Using cached dill-0.3.8-py3-none-any.whl (116 kB) Using cached grpcio-1.60.1-cp39-cp39-macosx_10_10_universal2.whl (9.7 MB) Using cached parver-0.5-py3-none-any.whl (15 kB) Using cached protobuf-4.25.3-cp37-abi3-macosx_10_9_universal2.whl (394 kB) Using cached PyYAML-6.0.1-cp39-cp39-macosx_11_0_arm64.whl (174 kB) Using cached semver-2.13.0-py2.py3-none-any.whl (12 kB) Using cached six-1.16.0-py2.py3-none-any.whl (11 kB) Using cached Arpeggio-2.0.2-py2.py3-none-any.whl (55 kB) Using cached attrs-23.2.0-py3-none-any.whl (60 kB) Using cached typing_extensions-4.11.0-py3-none-any.whl (34 kB) Installing collected packages: arpeggio, typing-extensions, six, semver, pyyaml, protobuf, grpcio, dill, attrs, pulumi, parver, pulumi-aws Successfully installed arpeggio-2.0.2 attrs-23.2.0 dill-0.3.8 grpcio-1.60.1 parver-0.5 protobuf-4.25.3 pulumi-3.116.1 pulumi-aws-6.37.0 pyyaml-6.0.1 semver-2.13.0 six-1.16.0 typing-extensions-4.11.0 Finished installing dependencies Finished installing dependencies
Your new project is ready to go! ✨
To perform an initial deployment, run pulumi up
AWS_SKIP_CREDENTIALS_VALIDATION=true pulumi preview Previewing update (dev-amy-amy)
View in Browser (Ctrl+O): https://app.pulumi.com/pulumi/testtesttest/dev-amy-amy/previews/34a5654c-64b9-4e84-be0c-ecf03060a7eb
Downloading plugin: 253.12 MiB / 253.12 MiB [=======================] 100.00% 9s
[resource plugin aws-6.37.0] installing Loading policy packs...
Type Name Plan Info
- pulumi:pulumi:Stack testtesttest-dev-amy-amy create └─ pulumi:providers:aws default_6_37_0 1 error
Policies: ✅ [email protected]
Diagnostics: pulumi:providers:aws (default_6_37_0): error: pulumi:providers:aws resource 'default_6_37_0' has a problem: unable to validate AWS credentials. Details: failed to get shared config profile, corp
~/Dev/skip-cred .............................................. 255 | took 26s | system node | at 11:00:11 AM
Output of pulumi about
mkdir skip-cred cd skip-cred pulumi new aws-python This command will walk you through creating a new Pulumi project.
Enter a value or leave blank to accept the (default), and press <ENTER>. Press ^C at any time to quit.
project name (skip-cred): testtesttest project description (A minimal AWS Python Pulumi program): asldfhas Created project 'testtesttest'
Please enter your desired stack name.
To create a stack in an organization, use the format acmecorp/dev).
stack name (dev): dev-amy-amy
Created stack 'dev-amy-amy'
aws:region: The AWS region to deploy into (us-east-1): Saved config
Installing dependencies...
Creating virtual environment... Finished creating virtual environment Updating pip, setuptools, and wheel in virtual environment... Requirement already satisfied: pip in ./venv/lib/python3.9/site-packages (21.2.4) Collecting pip Using cached pip-24.0-py3-none-any.whl (2.1 MB) Requirement already satisfied: setuptools in ./venv/lib/python3.9/site-packages (58.0.4) Collecting setuptools Downloading setuptools-70.0.0-py3-none-any.whl (863 kB) |████████████████████████████████| 863 kB 3.9 MB/s Collecting wheel Using cached wheel-0.43.0-py3-none-any.whl (65 kB) Installing collected packages: wheel, setuptools, pip Attempting uninstall: setuptools Found existing installation: setuptools 58.0.4 Uninstalling setuptools-58.0.4: Successfully uninstalled setuptools-58.0.4 Attempting uninstall: pip Found existing installation: pip 21.2.4 Uninstalling pip-21.2.4: Successfully uninstalled pip-21.2.4 Successfully installed pip-24.0 setuptools-70.0.0 wheel-0.43.0 Finished updating Installing dependencies in virtual environment... Collecting pulumi<4.0.0,>=3.0.0 (from -r requirements.txt (line 1)) Using cached pulumi-3.116.1-py3-none-any.whl.metadata (11 kB) Collecting pulumi-aws<7.0.0,>=6.0.2 (from -r requirements.txt (line 2)) Downloading pulumi_aws-6.37.0-py3-none-any.whl.metadata (9.4 kB) Collecting protobuf~=4.21 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached protobuf-4.25.3-cp37-abi3-macosx_10_9_universal2.whl.metadata (541 bytes) Collecting grpcio~=1.60.1 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached grpcio-1.60.1-cp39-cp39-macosx_10_10_universal2.whl.metadata (4.0 kB) Collecting dill~=0.3 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached dill-0.3.8-py3-none-any.whl.metadata (10 kB) Collecting six~=1.12 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached six-1.16.0-py2.py3-none-any.whl.metadata (1.8 kB) Collecting semver~=2.13 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached semver-2.13.0-py2.py3-none-any.whl.metadata (5.0 kB) Collecting pyyaml~=6.0 (from pulumi<4.0.0,>=3.0.0->-r requirements.txt (line 1)) Using cached PyYAML-6.0.1-cp39-cp39-macosx_11_0_arm64.whl.metadata (2.1 kB) Collecting parver>=0.2.1 (from pulumi-aws<7.0.0,>=6.0.2->-r requirements.txt (line 2)) Using cached parver-0.5-py3-none-any.whl.metadata (2.7 kB) Collecting arpeggio>=1.7 (from parver>=0.2.1->pulumi-aws<7.0.0,>=6.0.2->-r requirements.txt (line 2)) Using cached Arpeggio-2.0.2-py2.py3-none-any.whl.metadata (2.4 kB) Collecting attrs>=19.2 (from parver>=0.2.1->pulumi-aws<7.0.0,>=6.0.2->-r requirements.txt (line 2)) Using cached attrs-23.2.0-py3-none-any.whl.metadata (9.5 kB) Collecting typing-extensions (from parver>=0.2.1->pulumi-aws<7.0.0,>=6.0.2->-r requirements.txt (line 2)) Using cached typing_extensions-4.11.0-py3-none-any.whl.metadata (3.0 kB) Using cached pulumi-3.116.1-py3-none-any.whl (258 kB) Downloading pulumi_aws-6.37.0-py3-none-any.whl (8.7 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 8.7/8.7 MB 27.1 MB/s eta 0:00:00 Using cached dill-0.3.8-py3-none-any.whl (116 kB) Using cached grpcio-1.60.1-cp39-cp39-macosx_10_10_universal2.whl (9.7 MB) Using cached parver-0.5-py3-none-any.whl (15 kB) Using cached protobuf-4.25.3-cp37-abi3-macosx_10_9_universal2.whl (394 kB) Using cached PyYAML-6.0.1-cp39-cp39-macosx_11_0_arm64.whl (174 kB) Using cached semver-2.13.0-py2.py3-none-any.whl (12 kB) Using cached six-1.16.0-py2.py3-none-any.whl (11 kB) Using cached Arpeggio-2.0.2-py2.py3-none-any.whl (55 kB) Using cached attrs-23.2.0-py3-none-any.whl (60 kB) Using cached typing_extensions-4.11.0-py3-none-any.whl (34 kB) Installing collected packages: arpeggio, typing-extensions, six, semver, pyyaml, protobuf, grpcio, dill, attrs, pulumi, parver, pulumi-aws Successfully installed arpeggio-2.0.2 attrs-23.2.0 dill-0.3.8 grpcio-1.60.1 parver-0.5 protobuf-4.25.3 pulumi-3.116.1 pulumi-aws-6.37.0 pyyaml-6.0.1 semver-2.13.0 six-1.16.0 typing-extensions-4.11.0 Finished installing dependencies Finished installing dependencies
Your new project is ready to go! ✨
To perform an initial deployment, run pulumi up
AWS_SKIP_CREDENTIALS_VALIDATION=true pulumi preview Previewing update (dev-amy-amy)
View in Browser (Ctrl+O): https://app.pulumi.com/pulumi/testtesttest/dev-amy-amy/previews/34a5654c-64b9-4e84-be0c-ecf03060a7eb
Downloading plugin: 253.12 MiB / 253.12 MiB [=======================] 100.00% 9s
[resource plugin aws-6.37.0] installing Loading policy packs...
Type Name Plan Info
- pulumi:pulumi:Stack testtesttest-dev-amy-amy create └─ pulumi:providers:aws default_6_37_0 1 error
Policies: ✅ [email protected]
Diagnostics: pulumi:providers:aws (default_6_37_0): error: pulumi:providers:aws resource 'default_6_37_0' has a problem: unable to validate AWS credentials. Details: failed to get shared config profile, corp
~/Dev/skip-cred .............................................. 255 | took 26s | system node | at 11:00:11 AM
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
I can confirm.. IT seems to ignore the env var, but if I set the setting using pulumi config set then it changes the error message but still does not do what you would expect:
pulumi config set aws:skipCredentialsValidation true
On latest:
aws:s3:Bucket (my-bucket):
error: 1 error occurred:
* No valid credential sources found: Please see https://registry.terraform.io/providers/hashicorp/aws
for more information about providing credentials.
Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via client option, or "AWS_EC2_METADATA_DISABLED" environment variable
On 5.42.0:
error: 1 error occurred:
* configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
Please see https://registry.terraform.io/providers/hashicorp/aws
for more information about providing credentials.
AWS Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via client option, or "AWS_EC2_METADATA_DISABLED" environment variable
I think that it might be working as expected though, we just need to look into cleaning up the error messages that continue to erroneously refer to the TF provider instead of the Pulumi provider.
Per:
`aws:skipCredentialsValidation` - (Optional) Skip the credentials validation via the STS API. Useful for AWS API implementations that do not have STS available or implemented. Default value is `false`. Can be set via the environment variable `AWS_SKIP_CREDENTIALS_VALIDATION`.
It seems that this switch enables the provider to succeed, or possibly just speed up, in environments that do not have AWS Security Token Service available. This setting does not advertise a capability for the provider to successfully execute preview without any access to the cloud, which is indeed not supported AFAIK.
Opened https://github.com/pulumi/pulumi-aws/issues/4076 for the side issue discovered here.
@wongstein I've consulted with the team and I believe this works by-design, unfortunately the AWS provider cannot operate, even preview, without having access to credentials in the general case (executing invokes) and is not optimized for not accessing them for the common case. skipCredentialsValidation does not remove the need for credentials.
I assume you may be looking for some capability to type-check Pulumi programs without paying the price of configuring providers. This capability is implicitly available with Pulumi language hosts and perhaps it's worth asking the platform team if it can be quickly surfaced in some pulumi typecheck or similar form that does not engage the provider.