Closed dhilgarth closed 8 months ago
Hi @dhilgarth. This is the expected behavior of the explicit (in-code) providers. Part of the benefit they provide is to isolate your provider from ambient config. If you want to equip them with ambient credentials, you can pass values from your pulumi config to them on creation.
There is an issue to allow changing this behavior in pulumi/pulumi: https://github.com/pulumi/pulumi/issues/12176.
That's the thing: it does use ambient config: environment variables, shared credentials file, EC2 Instance Metadata. The only thing it doesn't use is the pulumi config, even though the documentation makes it look like the pulumi config and environment variables are equivalent.
I've upvoted the other issue.
What happened?
I've configured my stack with the AWS credentials like so:
The implicit provider uses these credentials. However, if I manually create a new provider, it doesn't use them.
In an environment where the AWS CLI is configured with different credentials, it will silently use those and deploy to the wrong account. In an environment where the AWS CLI is not configured, it errors out:
Example
Output of
pulumi about
CLI Version 3.101.1 Go Version go1.21.5 Go Compiler gc
Plugins NAME VERSION aws 6.18.0 nodejs unknown
Host OS debian Version 12.4 Arch x86_64
This project is written in nodejs: executable='/usr/local/bin/node' version='v21.5.0'
Backend Name b3d6f4dc687c URL file://~ User root Organizations Token type personal
Dependencies: NAME VERSION @pulumi/aws 6.18.0 @pulumi/pulumi 3.101.1 @types/node 18.19.6
Additional context
My example is very simple and one could argue, why I'm doing this. There are a few resources that must be created in us-east-1 no matter what, e.g. certificates for cloudfront. So this is a common scenario: Same account, just different region.
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).