amazon-web-servicespulumi

pulumi/aws - how to change to deploy to new environment?

I wrote a Pulumi program in Typescript aimed for my current AWS account. Now, I want to run this program on a different account.

With Terraform, documentation is very simple and explains how to make the change. Here, with Pulumi, I tried everything, by the book, always getting: The security token included in the request is invalid because it tries to run it on the previous environment.

What I did? Read all documentation of Pulumi, Ran pulumi config set aws:profile Exported environment variables.

Expected when running pulumi preview to run and get a plan.

Received a error: rpc error: code = Unknown desc = unable to validate AWS credentials. Details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 84654370-f3fb-4a70-b989-66daad8762b5, api error InvalidClientTokenId: The security token included in the request is invalid Make sure you have set your AWS region, e.g. pulumi config set aws:region us-west-2.

Does someone know, how to force Pulumi to change the AWS url of my stack, so I can deploy to a newly created environment?

Thanks,

Solution

  • Pulumi associates the credentials for a provider to a given stack. If you're changing the credentials associated with an existing stack, you won't be able to perform all the operations need to destroy both the resources in the original account, and creates the resources in the new account.

    What you need to do here is either destroy the resources in the original account, then modify your credentials and create the resources in the new account or associate each account to a Pulumi stack.

    For option 1, that's as simple as:

    # make sure you're authenticated to the original account
export AWS_ACCESS_KEY_ID=whatever your key is
export AWS_SECRET_ACCESS_KEY=whatever your secret key is
pulumi destroy

# then set up new environment variables for the new account
export AWS_ACCESS_KEY_ID="new access key"
export AWS_SECRET_ACCESS_KEY="new secret key"
pulumi up

    For option 2, you can do similar, but it'll allow you to leave the original resources in place

    pulumi stack init newaccount
export AWS_ACCESS_KEY_ID="some key"
export AWS_SECRET_ACCESS_KEY="something"
pulumi up