Pulumi AWS Native

Common errors

• error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

  cause Pulumi, and its underlying Terraform AWS provider, may not automatically detect IAM instance profile credentials on EC2 instances.
  fix Set the Pulumi stack configuration `aws:skipMetadataApiCheck` to `false` (`pulumi config set aws:skipMetadataApiCheck false`) or export the environment variable `export AWS_SKIP_METADATA_API_CHECK=false` to ensure credential detection.

• error: could not get AWS account ID: operation error STS: GetCallerIdentity, get identity: get credentials: failed to refresh cached credentials, the SSO session has expired or is invalid.

  cause The AWS SSO session or temporary credentials have expired or were not correctly picked up by the `pulumi-aws-native` provider.
  fix Re-authenticate your AWS SSO session using your preferred method (e.g., `aws sso login` or your SSO tool) to refresh credentials and ensure they are active and correctly exported as environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`).

• Pulumi wants to recreate a resource after `pulumi refresh` even though my code hasn't changed.

  cause `pulumi-aws-native` detected a difference in default values for optional attributes in the cloud state versus what's implicitly managed by your code, and these attributes are flagged to cause replacement.
  fix Examine the `pulumi preview` output carefully to identify the specific attribute causing the replacement. If the default value is acceptable, explicitly set that attribute in your Pulumi code. If not, manual state editing might be required, or open an issue with Pulumi for specific resource behavior.

Warnings

• gotcha The provider was originally named 'AWS Native' but was officially renamed to 'AWS Cloud Control Provider' in March 2024. While the Python package retains `pulumi-aws-native`, official Pulumi documentation often refers to it by its new name.
  Fix: Be aware of the name change when consulting documentation or community resources; search for 'AWS Cloud Control Provider' if 'Pulumi AWS Native' doesn't yield results.
• gotcha For new projects, Pulumi generally recommends starting with the `pulumi_aws` (classic) provider and integrating `pulumi-aws-native` (AWS Cloud Control) for specific resources only available via the Cloud Control API or for same-day feature access. `pulumi-aws-native` is not intended as a direct replacement for `pulumi_aws` but rather as a complement.
  Fix: Evaluate your project's needs. If a resource is well-supported in `pulumi_aws`, prefer it. Use `pulumi-aws-native` when you need a resource that is very new, only available through Cloud Control, or requires specific behaviors exposed by Cloud Control.
• breaking Performing `pulumi refresh` can sometimes cause `pulumi-aws-native` to add default values for optional attributes to the state, even if they were not explicitly set in your code. This can lead to subsequent `pulumi up` operations attempting to recreate resources if these default attributes are marked as `replaceOnChange`.
  Fix: Manually inspect `pulumi preview` output carefully after a `refresh`. If unintended resource replacements are planned due to attribute defaults, you might need to manually edit the Pulumi state file or explicitly define the attribute in your code to match the default, preventing a perceived drift.
• gotcha Users integrating with AWS SSO (e.g., via `granted.dev` or `aws-vault`) have reported issues where `pulumi up` with `pulumi-aws-native` fails with `STS: GetCallerIdentity` errors, indicating credential problems, even when the `pulumi_aws` provider works correctly in the same shell session.
  Fix: Ensure your AWS SSO session is active and that environment variables (like `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`) are correctly exported and refreshed in the shell where `pulumi` commands are run. This can sometimes be a more sensitive area for `aws-native` due to underlying provider differences.

Install

• pip install pulumi-aws-native Install `pulumi-aws-native`
• pulumi plugin install resource aws-native 1.61.0 Install Pulumi Provider Plugin (if not auto-installed)

Imports

• aws_native

  import pulumi_aws_native as aws_native

  Commonly aliased as `aws_native` for brevity and clarity when defining resources.
• s3

  import pulumi_aws_native.s3 as s3

  Importing specific service modules (e.g., S3) can make code cleaner.

Quickstart

This quickstart program provisions a new S3 bucket using the `pulumi-aws-native` provider. It demonstrates how to import the provider and create a basic AWS resource, then exports the bucket's name. Remember to configure your AWS credentials and region before running `pulumi up`.

import pulumi
import pulumi_aws_native as aws_native
import os

# Configure AWS region (e.g., via pulumi config set aws-native:region us-east-1
# or AWS_REGION environment variable) and AWS credentials.
# For quickstart, ensure AWS CLI is configured or env vars are set:
# export AWS_ACCESS_KEY_ID='YOUR_ACCESS_KEY'
# export AWS_SECRET_ACCESS_KEY='YOUR_SECRET_KEY'
# export AWS_REGION='us-east-1'

# Create an AWS S3 Bucket
# Pulumi will automatically assign a unique name if 'my-bucket' is used as the URN part.
# You can also pass a specific bucket_name property if a fixed name is required (must be globally unique).
bucket = aws_native.s3.Bucket("my-first-aws-native-bucket",
    bucket_name="my-unique-pulumi-bucket-name-12345") # Use a unique name for actual deployment

# Export the name of the bucket
pulumi.export("bucket_name", bucket.bucket_name)

# To deploy this, navigate to your project directory in the terminal and run:
# pulumi up