Feature: other S3 provider as state store then Amazon S3

[CrystalMethod]

We would like to use other S3 backend provider as state store then Amazon AWS S3, namely DigitalOcean an JFrog Artifactory, also Minio is a valid option. All attempts to adjust the S3 url property failed. It is always tried to connect to a host such as s3.amazon.com.

https://pulumi-community.slack.com/archives/C84L4E3N1/p1570861053113800

[CrystalMethod]

Any progress?

[asyd]

@CrystalMethod in case that help I successfully created a project in minio using:

/pulumi login 's3://minio/pulumi?region=fr&endpoint=domain.com'

Where minio url is minio.domain.com

[bnason]

@CrystalMethod in case that help I successfully created a project in minio using:

/pulumi login 's3://minio/pulumi?region=fr&endpoint=domain.com'

Where minio url is minio.domain.com

When trying to init a new stack using this method with Minio, I'm getting the following error

error: could not create stack: An IO error occurred during the current operation: blob (key ".pulumi/stacks/pulumi.json") (code=Unknown): InvalidAccessKeyId: The access key ID you provided does not exist in our records.
status code: 403, request id: 1608286DC236591B, host id:

1. How do I pass the Minio Access Key and Secret Key?
2. I tried to give the Minio bucket public read/write but that didn't fix it either

[asyd]

Edit ~/.aws/credentials to add a section, like:

[minio]
aws_access_key_id = xxx
aws_secret_access_key = xxx

Then, set environment variable AWS_PROFILE to minio before running pulumi

[bnason]

That did it, thanks!

[CrystalMethod]

Thanks @asyd. With your help I'm finally able to bootstrap a new project running pulumi new but pulumi up ends in an HTTP 404. I suspect it's because the Minio version is too old (2018-12-27T18:33:08Z). I will try a more recent version.

error: saving update info: blob (key ".pulumi/stacks/dev.json -> .pulumi/history/dev/dev-1587563593718859000.checkpoint.json") (code=Unknown): NoSuchBucket: The specified bucket does not exist
        status code: 404, request id: 160828AD664D26E3, host id:

[CrystalMethod]

No, even with latest Minio I get the error above when running pulumi up. Here is the stacktrace

error: saving update info: blob (key ".pulumi/stacks/dev.json -> .pulumi/history/dev/dev-1588177969928498000.checkpoint.json") (code=Unknown): NoSuchBucket: The specified bucket does not exist
        status code: 404, request id: 160A5772FB3BABB0, host id:
github.com/pulumi/pulumi/pkg/v2/backend/filestate.(*localBackend).apply
        /private/tmp/pulumi-20200416-24195-7o2f34/src/github.com/pulumi/pulumi/pkg/backend/filestate/backend.go:562
github.com/pulumi/pulumi/pkg/v2/backend.PreviewThenPromptThenExecute
        /private/tmp/pulumi-20200416-24195-7o2f34/src/github.com/pulumi/pulumi/pkg/backend/apply.go:211
github.com/pulumi/pulumi/pkg/v2/backend/filestate.(*localBackend).Update
        /private/tmp/pulumi-20200416-24195-7o2f34/src/github.com/pulumi/pulumi/pkg/backend/filestate/backend.go:420
github.com/pulumi/pulumi/pkg/v2/backend.UpdateStack
        /private/tmp/pulumi-20200416-24195-7o2f34/src/github.com/pulumi/pulumi/pkg/backend/stack.go:82
github.com/pulumi/pulumi/pkg/v2/backend/filestate.(*localStack).Update
        /private/tmp/pulumi-20200416-24195-7o2f34/src/github.com/pulumi/pulumi/pkg/backend/filestate/stack.go:72
main.newUpCmd.func1
        /private/tmp/pulumi-20200416-24195-7o2f34/src/github.com/pulumi/pulumi/pkg/cmd/pulumi/up.go:133
main.newUpCmd.func3
        /private/tmp/pulumi-20200416-24195-7o2f34/src/github.com/pulumi/pulumi/pkg/cmd/pulumi/up.go:370
github.com/pulumi/pulumi/sdk/v2/go/common/util/cmdutil.RunResultFunc.func1
        /private/tmp/pulumi-20200416-24195-7o2f34/src/github.com/pulumi/pulumi/sdk/go/common/util/cmdutil/exit.go:112
github.com/spf13/cobra.(*Command).execute
        /private/tmp/pulumi-20200416-24195-7o2f34/pkg/mod/github.com/spf13/cobra@v0.0.6/command.go:844
github.com/spf13/cobra.(*Command).ExecuteC
        /private/tmp/pulumi-20200416-24195-7o2f34/pkg/mod/github.com/spf13/cobra@v0.0.6/command.go:945
github.com/spf13/cobra.(*Command).Execute
        /private/tmp/pulumi-20200416-24195-7o2f34/pkg/mod/github.com/spf13/cobra@v0.0.6/command.go:885
main.main
        /private/tmp/pulumi-20200416-24195-7o2f34/src/github.com/pulumi/pulumi/pkg/cmd/pulumi/main.go:48
runtime.main
        /usr/local/Cellar/go/1.14.2_1/libexec/src/runtime/proc.go:203
runtime.goexit
        /usr/local/Cellar/go/1.14.2_1/libexec/src/runtime/asm_amd64.s:1373

[CrystalMethod]

Start latest Minio release using Docker:

$ docker run -p 9000:9000 minio/minio:RELEASE.2020-04-28T23-56-56Z server /data
...
Detected default credentials 'minioadmin:minioadmin'
...

Log into the Web UI and create a bucket pulumi.
Add default credentials to ~/.aws/credentials

...
[minio]
aws_access_key_id = minioadmin
aws_secret_access_key = minioadmin

Select the minio profile:

export AWS_PROFILE=minio

Add a subdomain to localhost in /etc/hosts

127.0.0.1        localhost minio.localhost

Login to Minio S3

$ pulumi login 's3://minio/pulumi?region=us-east-1&endpoint=http://localhost:9000'
Logged into Larss-MacBook-Pro.local as lars (s3://minio/pulumi?region=us-east-1&endpoint=http://localhost:9000)

Bootstrap a new Pulumi project

$ pulumi new kubernetes-typescript
...

Folders are created in Minio bucket:

$ pulumi up
...
error: saving update info: blob (key ".pulumi/stacks/dev.json -> .pulumi/history/dev/dev-1588177969928498000.checkpoint.json") (code=Unknown): NoSuchBucket: The specified bucket does not exist
        status code: 404, request id: 160A5772FB3BABB0, host id:

[ydkn]

Thank you @CrystalMethod - I got it working with OpenStack blob store this way except for one problem:

When saving the state at the end the following error is produced:

error: saving update info: blob (key ".pulumi/stacks/dev.json -> .pulumi/history/dev/dev-1589384917390913131.checkpoint.json") (code=Unknown): NoSuchBucket: status code: 404, request id: tx0000000000000006e1650-005ebc16d5-4a267cf-default, host id:

It seems the only the Copy operation is affected:

pulumi/pkg/backend/filestate/state.go

Line 415 in 9e91afc

return b.bucket.Copy(context.TODO(), checkpointFile, b.stackPath(name), nil)

other operations like the following are working and also the state itself is preserved and can be fetched from the backend again (e.g. after deleting ~/.pulumi locally):

pulumi/pkg/backend/filestate/state.go

Line 409 in 9e91afc

if err = b.bucket.WriteAll(context.TODO(), historyFile, byts, nil); err != nil {

The corresponding history file (dev-1589384917390913131.history.json) therefore is also present on the s3 store.

Does somebody have an idea how to solve this?

[kesavkolla]

I'm getting the same error s3.CopyObject forbidden 403 with minio. I do have full rights on the bucket and still minio is throwing error of 403 forbidden. Has anyone figure out this?

[stack72]

Hi Folks

Sorry this has been open so long - so we definitely have this working (especially for Minio)

https://www.pulumi.com/docs/intro/concepts/state/#logging-into-the-aws-s3-backend

As you can see from this, the url should be something similar to this:

pulumi login s3://<bucket-name>?endpoint=my.minio.local:8080&disableSSL=true&s3ForcePathStyle=true

Notice the s3ForcePathStyle=true as part of the url

But this works as expected

Please let us know if this is not the case and we can reopen and re-investigate

Paul

[jaxxstorm]

For those that end up on this issue because they're struggling with using a third party S3 compatible backend...

The AWS credentials you use for accessing the state are different from the credentials you use for provisioning infrastructure.

Credentials for provisioning infrastructure are set at the provider level, so you can define any of the options specified here:
https://www.pulumi.com/registry/packages/aws/api-docs/provider/

These credentials are NOT used for accessing the state backend.

So you can do the following:

define two aws profiles

aws_access_key_id = xxx
aws_secret_access_key = xxx
[aws]
aws_access_key_id = xxx
aws_secret_access_key = xxx```

And then do:

```pulumi config set aws:profile aws```

and then execute your program with the minio variables

```AWS_PROFILE=minio pulumi up```

[SPFZ]

For anyone having trouble with minio login like I did: make sure the aws_access_key_id does not contain underscores "_" (probably avoid special characters in general or use the minio auto-generated once).
I created a custom name for my access key with underscores in it "admin_access_key" and minio accepted it, however it did not work in pulumi and I got stuck for a while trying to figure out where I went wrong.

This worked for me:

$ mkdir ~/.aws
$ cat ~/.aws/credentials
[minio]
aws_access_key_id = g9YPeCpEdP5CqMdbgapS
aws_secret_access_key = pasXF5dW1EIvwEXXRlNgVd3EXSOVhgvEgDwm1JqX
$ export AWS_PROFILE="minio"
# bucket name was pulumi-test
$ pulumi login 's3://pulumi-test?endpoint=http://minio.myserverurl.com:9000&disableSSL=true&s3ForcePathStyle=true&region=de'
# pulumi created a folder .pulumi in the bucket with the file meta.yaml in it

[trustos]

For anyone trying to use Oracle S3 compatible buckets for login:

pulumi login s3://<bucket-name>?endpoint=https://<namespace>.compat.objectstorage.<oci-region>.oraclecloud.com&s3ForcePathStyle=true

The s3ForcePathStyle=true was something I missed before and It ended up throwing similar errors as others reported.
In my case I use it in Pulumi automation so I set the PULUMI_BACKEND_URL as the the s3 value.