Open catmeme opened 3 years ago
The above works just fine with 4.x but with the new MAJOR, 5.x I receive:
error configuring Terraform AWS Provider: loading configuration: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set
I came up with a temporary work-around for the new MAJOR.
You can explicitly declare an aws provider and pass it in the opts to each one of your resource declarations.
const awsProvider = new aws.Provider("aws-provider", {
accessKey: process.env.AWS_ACCESS_KEY_ID,
region: "us-east-1",
secretKey: process.env.AWS_SECRET_ACCESS_KEY,
token: process.env.AWS_SESSION_TOKEN,
});
Unfortunately, I was unable to get it this working with the default provider. I attempted the below:
aws.sdk.config.credentials = {
accessKeyId: process.env.AWS_ACCESS_KEY_ID as string,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY as string,
sessionToken: process.env.AWS_SESSION_TOKEN as string,
};
A separate work-around is to only provide the aws:region
in stack configuration YAMLs, track the profile name as a separate project variable, and in the wrapper pass that profile as AWS_PROFILE
before the pulumi
command.
Still would like to see a better solution from Pulumi.
Pretty important for us since the pulumi role would be highly privileged. It's worth noting that kubectl
is able to support the awscli behaviour, passing the prompt to the end user.
Are there any updates on this issue? This looks like a pretty important feature to have.
Expected behavior
It would be preferred if the AWS Provider understood the AWS config the same way as the aws cli.
Current behavior
Given an
~/.aws/config
with sections similar to below:AWS cli behavior:
Subsequent requests will use
~/.aws/cli/cache/<some_id>.json
.However,
aws:profile
inPulumi.sandbox.yaml
will not work, generating an error:Furthermore, when using the work-around below, if the token (
AWS_SESSION_TOKEN
) expires Pulumi will hang.Steps to reproduce
See above.
Context (Environment)
We need to implement role-based access with MFA, but this is blocking us for doing it purely with Pulumi.
Workaround
Generate environment variables,
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, andAWS_SESSION_TOKEN
.Here is a bash/zsh function that wraps Pulumi to support the expected behavior:
Related issues: