AWS Classic

v5.16.0 published on Saturday, Sep 24, 2022 by Pulumi

Installation

The AWS Classic provider is available as a package in all Pulumi languages:

Credentials

  1. Create an IAM user in the AWS console with programmatic access and ensure it has sufficient permissions to deploy and manage your Pulumi program’s resources.
  2. Set up AWS credentials for your user.

Your AWS credentials are never sent to pulumi.com. Pulumi uses the AWS SDK and the credentials in your environment to authenticate requests from your computer to AWS.

Configuration

There are a few different ways you can configure your AWS credentials to work with Pulumi.

Set credentials as environment variables

You can authenticate using environment variables. Doing so will temporarily override the settings in your credentials file.

$ export AWS_ACCESS_KEY_ID=<YOUR_ACCESS_KEY_ID>
$ export AWS_SECRET_ACCESS_KEY=<YOUR_SECRET_ACCESS_KEY>
$ export AWS_REGION=<YOUR_AWS_REGION> # e.g.`ap-south-1`
$ export AWS_ACCESS_KEY_ID=<YOUR_ACCESS_KEY_ID>
$ export AWS_SECRET_ACCESS_KEY=<YOUR_SECRET_ACCESS_KEY>
$ export AWS_REGION=<YOUR_AWS_REGION> # e.g.`ap-south-1`
> $env:AWS_ACCESS_KEY_ID = "<YOUR_ACCESS_KEY_ID>"
> $env:AWS_SECRET_ACCESS_KEY = "<YOUR_SECRET_ACCESS_KEY>"
> $env:AWS_REGION = "<YOUR_AWS_REGION>"

You may alternatively set the AWS region in your Pulumi.yaml:

$ pulumi config set aws:region <your-region> # e.g.`ap-south-1`

Create a shared credentials file using the AWS CLI

  1. Install the AWS CLI

  2. Configure your AWS credentials.

    $ aws configure
    AWS Access Key ID [None]: <YOUR_ACCESS_KEY_ID>
    AWS Secret Access Key [None]: <YOUR_SECRET_ACCESS_KEY>
    Default region name [None]: <YOUR_AWS_REGION>
    Default output format [None]:
    

Your AWS credentials file is now located in your home directory at .aws/credentials.

You can also create the shared credentials file by hand. For example:

[default]
aws_access_key_id = <YOUR_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_SECRET_ACCESS_KEY>

Set up multiple profiles

As an optional step, you can set up multiple profiles Here’s what that looks like in your ~/.aws/credentials file:

[default]
aws_access_key_id = <YOUR_DEFAULT_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_DEFAULT_SECRET_ACCESS_KEY>

[test-account]
aws_access_key_id = <YOUR_TEST_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_TEST_SECRET_ACCESS_KEY>

[prod-account]
aws_access_key_id = <YOUR_PROD_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_PROD_SECRET_ACCESS_KEY>

You can specify which profile to use with Pulumi through one of the following methods:

  • Set AWS_PROFILE as an environment variable

    $ export AWS_PROFILE=<YOUR_PROFILE_NAME>
    
  • Set aws:profile in your Pulumi.yaml

    pulumi config set aws:profile <profilename>
    

Authenticating via EC2 Instance Metadata?

As of pulumi-aws v3.28.1, the default behaviour for the provider was changed to disable MetadataApiCheck by default. This means, you need to do either of the following

  1. When using the default provider:

    pulumi config set aws:skipMetadataApiCheck false
    
  2. When using a named provider

    const myProvider = new aws.Provider("named-provider", {
      // other config
      skipMetadataApiCheck: false,
    });
    
    var provider = new Aws.Provider("named-provider", new Aws.ProviderArgs
    {
      // other config
      SkipMetadataApiCheck = false,
    });
    
    provider, err := aws.NewProvider(ctx, "named-provider", &aws.ProviderArgs{
        // other config
        SkipMetadataApiCheck: pulumi.Bool(false),
    })
    
    provider = pulumi_aws.Provider('named-provider', skip_metadata_api_check=False)
    

Configuration options

Use pulumi config set aws:<option> or pass options to the constructor of new aws.Provider.

OptionRequired/OptionalDescription
regionRequiredThe region where AWS operations will take place. Examples are us-east-1, us-west-2, etc.
allowedAccountIdsOptionalList of allowed AWS account IDs to prevent you from mistakenly using an incorrect one (and potentially end up destroying a live environment). Conflicts with forbiddenAccountIds.
accessKeyOptionalThe access key for API operations. You can retrieve this from the ‘Security & Credentials’ section of the AWS console.
assumeRoleOptionalA JSON object representing an IAM role to assume. To set these nested properties, see docs on structured configuration, for example pulumi config set --path aws:assumeRole.roleArn arn:aws:iam::058111598222:role/OrganizationAccountAccessRole. The object contains the properties marked with a ↳ below:
durationSecondsOptionalNumber of seconds to restrict the assume role session duration.
externalIdOptionalExternal identifier to use when assuming the role.
policyOptionalIAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
policyArnsOptionalSet of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
roleArnOptionalAmazon Resource Name (ARN) of the IAM Role to assume.
sessionNameOptionalSession name to use when assuming the role.
tagsOptionalMap of assume role session tags.
transitiveTagKeysOptionalSet of assume role session tag keys to pass to any subsequent sessions.
dynamodbEndpointOptionalUse this to override the default endpoint URL constructed from the region. It’s typically used to connect to dynamodb-local.
forbiddenAccountIdsOptionalList of forbidden AWS account IDs to prevent you from mistakenly using the wrong one (and potentially end up destroying a live environment). Conflicts with allowedAccountIds.
defaultTagsOptionalA JSON block with resource tag settings to apply across all resources handled by this provider. Additional tags can be added/overridden at a per resource level. The object contains the properties marked with a ↳ below:
tagsOptionalA key value pair of tags to apply across all resources.
ignoreTagsOptionalA JSON block with resource tag settings to ignore across all resources handled by this provider (except any individual service tag resources such as aws.ec2.Tag) for situations where external systems are managing certain resource tags. The object contains the properties marked with a ↳ below:
keysOptionalA list of exact resource tag keys to ignore across all resources handled by this provider. This configuration prevents Pulumi from returning the tag in any tags properties and displaying any diffs for the tag value. If any resource still has this tag key configured in the tags argument, it will display a perpetual diff until the tag is removed from the argument or ignoreChanges is also used.
keyPrefixesOptionalA list of resource tag key prefixes to ignore across all resources handled by this provider. This configuration prevents Pulumi from returning the tag in any tags properties and displaying any diffs for the tag value. If any resource still has this tag key configured in the tags argument, it will display a perpetual diff until the tag is removed from the argument or ignoreChanges is also used.
insecureOptionalExplicitly allow the provider to perform “insecure” SSL requests. If omitted, the default value is false.
kinesisEndpointOptionalUse this to override the default endpoint URL constructed from the region. It’s typically used to connect to kinesalite.
maxRetriesOptionalThe maximum number of times an AWS API request is being executed. If the API request still fails, an error is thrown.
profileOptionalThe profile for API operations. If not set, the default profile created with aws configure will be used.
s3ForcePathStyleOptionalSet this to true to force the request to use path-style addressing, i.e., http://s3.amazonaws.com/BUCKET/KEY. By default, the S3 client will use virtual hosted bucket addressing when possible (http://BUCKET.s3.amazonaws.com/KEY). Specific to the Amazon S3 service.
secretKeyOptionalThe secret key for API operations. You can retrieve this from the ‘Security & Credentials’ section of the AWS console.
sharedCredentialsFileOptionalThe path to the shared credentials file. If not set this defaults to ~/.aws/credentials.
skipCredentialsValidationOptionalSkip the credentials validation via STS API. Used for AWS API implementations that do not have STS available/implemented.
skipGetEc2PlatformsOptionalSkip getting the supported EC2 platforms. Used by users that don’t have ec2:DescribeAccountAttributes permissions.
skipMetadataApiCheckOptionalSkip the AWS Metadata API check. Useful for AWS API implementations that do not have a metadata API endpoint. Setting to true prevents Pulumi from authenticating via the Metadata API. You may need to use other authentication methods like static credentials, configuration variables, or environment variables.
skipRegionValidationOptionalSkip static validation of region name. Used by users of alternative AWS-like APIs or users w/ access to regions that are not public (yet).
skipRequestingAccountIdOptionalSkip requesting the account ID. Used for AWS API implementations that do not have IAM/STS API and/or metadata API.
tokenOptionalUse this to set an MFA token. It can also be sourced from the AWS_SESSION_TOKEN environment variable.