tessl/golang-github-com-pulumi-pulumi-aws-sdk-v7
A Pulumi provider SDK for creating and managing Amazon Web Services (AWS) cloud resources in Go, providing strongly-typed resource classes and data sources for all major AWS services.
provider.mddocs/reference/
AWS Provider Configuration
Import
import "github.com/pulumi/pulumi-aws/sdk/v7/go/aws"Overview
The AWS Provider configures authentication, region, retry behavior, tagging defaults, and service endpoint overrides for all resources managed by the pulumi-aws SDK. An explicit Provider instance can be created and passed to individual resources to achieve fine-grained, programmatic control over provider settings. When no explicit provider is supplied, resources use the package-wide default configuration.
Provider Creation
func NewProvider(ctx *pulumi.Context, name string, args *ProviderArgs, opts ...pulumi.ResourceOption) (*Provider, error)Creates and registers an explicit provider instance. The name parameter is a logical name for the resource within the Pulumi stack.
Basic Example
provider, err := aws.NewProvider(ctx, "aws-provider", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
Profile: pulumi.StringPtr("my-aws-profile"),
})
if err != nil {
return err
}
// Pass provider to a resource
bucket, err := s3.NewBucketV2(ctx, "my-bucket", &s3.BucketV2Args{
Bucket: pulumi.String("my-unique-bucket-name"),
}, pulumi.Provider(provider))
if err != nil {
return err
}Provider Resource Type
type Provider struct {
pulumi.ProviderResourceState
// Access key for API operations. Retrieved from 'Security & Credentials' in the AWS console.
// Env: AWS_ACCESS_KEY_ID
AccessKey pulumi.StringPtrOutput
// File containing custom root and intermediate certificates.
// Env: AWS_CA_BUNDLE
CustomCaBundle pulumi.StringPtrOutput
// Address of the EC2 metadata service endpoint to use.
// Env: AWS_EC2_METADATA_SERVICE_ENDPOINT
Ec2MetadataServiceEndpoint pulumi.StringPtrOutput
// Protocol to use with EC2 metadata service endpoint. Valid values: "IPv4", "IPv6".
// Env: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE
Ec2MetadataServiceEndpointMode pulumi.StringPtrOutput
// URL of a proxy to use for HTTP requests when accessing the AWS API.
// Env: HTTP_PROXY or httpProxy
HttpProxy pulumi.StringPtrOutput
// URL of a proxy to use for HTTPS requests when accessing the AWS API.
// Env: HTTPS_PROXY or httpsProxy
HttpsProxy pulumi.StringPtrOutput
// Comma-separated list of hosts that should not use HTTP or HTTPS proxies.
// Env: NO_PROXY or noProxy
NoProxy pulumi.StringPtrOutput
// Named profile for API operations. Defaults to the profile created with `aws configure`.
// Env: AWS_PROFILE
Profile pulumi.StringPtrOutput
// Region where AWS operations will take place (e.g., us-east-1, us-west-2).
// Env: AWS_REGION or AWS_DEFAULT_REGION
Region pulumi.StringPtrOutput
// How retries are attempted. Valid values: "standard", "adaptive".
// Env: AWS_RETRY_MODE
RetryMode pulumi.StringPtrOutput
// Whether S3 API calls in us-east-1 use the legacy global endpoint or a regional endpoint.
// Valid values: "legacy", "regional".
// Env: AWS_S3_US_EAST_1_REGIONAL_ENDPOINT
S3UsEast1RegionalEndpoint pulumi.StringPtrOutput
// Secret key for API operations. Retrieved from 'Security & Credentials' in the AWS console.
// Env: AWS_SECRET_ACCESS_KEY
SecretKey pulumi.StringPtrOutput
// Region where AWS STS operations will take place.
StsRegion pulumi.StringPtrOutput
// Severity with which to enforce organizational tagging policies.
// Valid values: "error", "warning", "disabled".
// Env: TF_AWS_TAG_POLICY_COMPLIANCE
TagPolicyCompliance pulumi.StringPtrOutput
// Session token. Required only when using temporary security credentials.
// Env: AWS_SESSION_TOKEN
Token pulumi.StringPtrOutput
}ProviderArgs
type ProviderArgs struct {
// Access key for API operations. Retrieved from 'Security & Credentials' in the AWS console.
// Env: AWS_ACCESS_KEY_ID
AccessKey pulumi.StringPtrInput
// List of allowed AWS account IDs. Prevents accidental deployment to wrong accounts.
// When set, Pulumi will fail if the current account ID is not in this list.
AllowedAccountIds pulumi.StringArrayInput
// Configuration for web identity role assumption.
AssumeRoleWithWebIdentity ProviderAssumeRoleWithWebIdentityPtrInput
// One or more role assumption configurations.
// Roles are assumed in the order specified, allowing role chaining.
AssumeRoles ProviderAssumeRoleArrayInput
// File containing custom root and intermediate certificates.
// Env: AWS_CA_BUNDLE
CustomCaBundle pulumi.StringPtrInput
// Configuration block to default resource tags across all resources.
DefaultTags ProviderDefaultTagsPtrInput
// Address of the EC2 metadata service endpoint.
// Env: AWS_EC2_METADATA_SERVICE_ENDPOINT
Ec2MetadataServiceEndpoint pulumi.StringPtrInput
// Protocol for EC2 metadata service. Valid values: "IPv4", "IPv6".
// Env: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE
Ec2MetadataServiceEndpointMode pulumi.StringPtrInput
// Per-service endpoint URL overrides.
// Useful for testing with LocalStack or accessing VPC endpoints.
Endpoints ProviderEndpointArrayInput
// List of forbidden AWS account IDs. Prevents deployment to these accounts.
// When set, Pulumi will fail if the current account ID is in this list.
ForbiddenAccountIds pulumi.StringArrayInput
// URL of proxy for HTTP requests.
// Env: HTTP_PROXY or httpProxy
HttpProxy pulumi.StringPtrInput
// URL of proxy for HTTPS requests.
// Env: HTTPS_PROXY or httpsProxy
HttpsProxy pulumi.StringPtrInput
// Configuration block to ignore resource tags across all resources.
IgnoreTags ProviderIgnoreTagsPtrInput
// Explicitly allow the provider to perform insecure SSL requests. Default: false.
// WARNING: Only use for testing; never in production.
Insecure pulumi.BoolPtrInput
// Maximum number of times an AWS API request is retried before returning an error.
// Default: varies by SDK (typically 3-10 depending on operation and retry mode).
MaxRetries pulumi.IntPtrInput
// Comma-separated list of hosts that bypass HTTP/HTTPS proxies.
// Env: NO_PROXY or noProxy
NoProxy pulumi.StringPtrInput
// Named profile for API operations. Defaults to the profile created with `aws configure`.
// Env: AWS_PROFILE
Profile pulumi.StringPtrInput
// Region where AWS operations will take place (e.g., us-east-1, us-west-2).
// REQUIRED unless set via environment variable.
// Env: AWS_REGION or AWS_DEFAULT_REGION
Region pulumi.StringPtrInput
// How retries are attempted. Valid values: "standard", "adaptive".
// "adaptive" adjusts retry timing based on service throttling signals.
// Env: AWS_RETRY_MODE
RetryMode pulumi.StringPtrInput
// S3 us-east-1 regional endpoint behavior. Valid values: "legacy", "regional".
// "legacy" uses the global s3.amazonaws.com endpoint for us-east-1.
// "regional" uses s3.us-east-1.amazonaws.com.
// Env: AWS_S3_US_EAST_1_REGIONAL_ENDPOINT
S3UsEast1RegionalEndpoint pulumi.StringPtrInput
// Use path-style addressing for S3 (https://s3.amazonaws.com/BUCKET/KEY).
// Default uses virtual hosted bucket addressing (https://BUCKET.s3.amazonaws.com/KEY).
// Path-style is deprecated by AWS but required for some S3-compatible services.
S3UsePathStyle pulumi.BoolPtrInput
// Secret key for API operations.
// Env: AWS_SECRET_ACCESS_KEY
SecretKey pulumi.StringPtrInput
// List of paths to shared config files. Default: [~/.aws/config].
SharedConfigFiles pulumi.StringArrayInput
// List of paths to shared credentials files. Default: [~/.aws/credentials].
SharedCredentialsFiles pulumi.StringArrayInput
// Skip credentials validation via STS API. For non-standard AWS implementations.
// Set to true when using LocalStack or other AWS-compatible services.
SkipCredentialsValidation pulumi.BoolPtrInput
// Skip AWS Metadata API check. For implementations without a metadata API.
// Set to true when running outside EC2 or in environments without IMDS.
SkipMetadataApiCheck pulumi.BoolPtrInput
// Skip static validation of region name. For alternative AWS-like APIs.
SkipRegionValidation pulumi.BoolPtrInput
// Skip requesting the account ID. For implementations without IAM/STS or metadata API.
SkipRequestingAccountId pulumi.BoolPtrInput
// Region where AWS STS operations will take place.
// Useful for directing STS calls to specific regions for latency/compliance.
StsRegion pulumi.StringPtrInput
// Severity for organizational tagging policy enforcement.
// Valid values: "error", "warning", "disabled".
// "error" prevents resource creation if tags don't comply with org policies.
// Env: TF_AWS_TAG_POLICY_COMPLIANCE
TagPolicyCompliance pulumi.StringPtrInput
// Session token for temporary security credentials.
// Required when using temporary credentials from AWS STS.
// Env: AWS_SESSION_TOKEN
Token pulumi.StringPtrInput
// Capacity of the AWS SDK token bucket rate limiter.
// Higher values allow more concurrent API calls but may hit service limits.
TokenBucketRateLimiterCapacity pulumi.IntPtrInput
// Resolve an endpoint with DualStack capability.
// Enables IPv4 and IPv6 connectivity for supported services.
UseDualstackEndpoint pulumi.BoolPtrInput
// Resolve an endpoint with FIPS capability.
// Required for Federal compliance environments.
UseFipsEndpoint pulumi.BoolPtrInput
// Product details to append to the User-Agent string in all AWS API calls.
// Format: ["ProductName/Version", "AnotherProduct/1.0"]
UserAgents pulumi.StringArrayInput
}Authentication Methods
Static Credentials
Provide credentials directly in ProviderArgs. Not recommended for production — prefer environment variables or profiles.
Security Warning: Never commit static credentials to source control. Use this method only for local development or testing.
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AccessKey: pulumi.StringPtr("AKIAIOSFODNN7EXAMPLE"),
SecretKey: pulumi.StringPtr("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"),
// Optional: for temporary credentials
Token: pulumi.StringPtr("AQoXnyc4lcK4w..."),
})
if err != nil {
return err
}Environment Variables
The provider automatically reads these environment variables when corresponding ProviderArgs fields are not set:
| Environment Variable | ProviderArgs Field | Purpose |
|---|---|---|
AWS_ACCESS_KEY_ID | AccessKey | IAM access key ID |
AWS_SECRET_ACCESS_KEY | SecretKey | IAM secret access key |
AWS_SESSION_TOKEN | Token | Temporary session token |
AWS_REGION / AWS_DEFAULT_REGION | Region | Default AWS region |
AWS_PROFILE | Profile | Named profile from ~/.aws/credentials |
AWS_CA_BUNDLE | CustomCaBundle | Custom CA bundle file path |
AWS_RETRY_MODE | RetryMode | Retry strategy (standard/adaptive) |
HTTP_PROXY / httpProxy | HttpProxy | HTTP proxy URL |
HTTPS_PROXY / httpsProxy | HttpsProxy | HTTPS proxy URL |
NO_PROXY / noProxy | NoProxy | Proxy bypass list |
AWS_EC2_METADATA_SERVICE_ENDPOINT | Ec2MetadataServiceEndpoint | IMDS endpoint URL |
AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE | Ec2MetadataServiceEndpointMode | IMDS protocol (IPv4/IPv6) |
AWS_S3_US_EAST_1_REGIONAL_ENDPOINT | S3UsEast1RegionalEndpoint | S3 endpoint style for us-east-1 |
TF_AWS_TAG_POLICY_COMPLIANCE | TagPolicyCompliance | Tag policy enforcement level |
TF_AWS_DEFAULT_TAGS_<tag_name> | DefaultTags.Tags | Individual default tags |
TF_AWS_IGNORE_TAGS_KEYS | IgnoreTags.Keys | Tag keys to ignore |
TF_AWS_IGNORE_TAGS_KEY_PREFIXES | IgnoreTags.KeyPrefixes | Tag key prefixes to ignore |
Example using environment variables:
export AWS_REGION=us-east-1
export AWS_PROFILE=production
export AWS_RETRY_MODE=adaptive
export TF_AWS_DEFAULT_TAGS_Environment=production
export TF_AWS_DEFAULT_TAGS_ManagedBy=pulumi// Provider will use environment variables
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
// No explicit configuration needed - uses environment variables
})
if err != nil {
return err
}Named Profile
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
Profile: pulumi.StringPtr("production"),
// Optional: override default config file locations
SharedConfigFiles: pulumi.StringArray{pulumi.String("/custom/.aws/config")},
SharedCredentialsFiles: pulumi.StringArray{pulumi.String("/custom/.aws/credentials")},
})
if err != nil {
return err
}Role Assumption (AssumeRole)
Use AssumeRoles to assume an IAM role before making API calls. Multiple role assumptions can be chained.
Use Case: Cross-account deployments, elevation of privileges, temporary access.
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AssumeRoles: aws.ProviderAssumeRoleArray{
&aws.ProviderAssumeRoleArgs{
RoleArn: pulumi.StringPtr("arn:aws:iam::123456789012:role/MyRole"),
SessionName: pulumi.StringPtr("PulumiSession"),
ExternalId: pulumi.StringPtr("UniqueExternalID"),
Duration: pulumi.StringPtr("1h"),
},
},
})
if err != nil {
return err
}Multi-account setup:
// Provider for main account
mainProvider, err := aws.NewProvider(ctx, "main", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
Profile: pulumi.StringPtr("main-account"),
})
if err != nil {
return err
}
// Provider for dev account via role assumption
devProvider, err := aws.NewProvider(ctx, "dev", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AssumeRoles: aws.ProviderAssumeRoleArray{
&aws.ProviderAssumeRoleArgs{
RoleArn: pulumi.StringPtr("arn:aws:iam::111111111111:role/DevDeployRole"),
SessionName: pulumi.StringPtr("PulumiDevSession"),
ExternalId: pulumi.StringPtr("dev-external-id"),
},
},
})
if err != nil {
return err
}
// Resources in main account
mainBucket, err := s3.NewBucketV2(ctx, "main-bucket", &s3.BucketV2Args{
Bucket: pulumi.String("main-account-bucket"),
}, pulumi.Provider(mainProvider))
// Resources in dev account
devBucket, err := s3.NewBucketV2(ctx, "dev-bucket", &s3.BucketV2Args{
Bucket: pulumi.String("dev-account-bucket"),
}, pulumi.Provider(devProvider))Web Identity Role Assumption
Used for OIDC-based authentication (e.g., GitHub Actions, Kubernetes service accounts, CI/CD systems).
Use Case: Workload identity federation, Kubernetes pod identity, GitHub Actions OIDC.
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AssumeRoleWithWebIdentity: &aws.ProviderAssumeRoleWithWebIdentityArgs{
RoleArn: pulumi.StringPtr("arn:aws:iam::123456789012:role/OIDCRole"),
SessionName: pulumi.StringPtr("PulumiWebIdentitySession"),
WebIdentityTokenFile: pulumi.StringPtr("/var/run/secrets/eks.amazonaws.com/serviceaccount/token"),
Duration: pulumi.StringPtr("1h"),
},
})
if err != nil {
return err
}GitHub Actions OIDC example:
// In GitHub Actions workflow, AWS provides OIDC token automatically
provider, err := aws.NewProvider(ctx, "github", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AssumeRoleWithWebIdentity: &aws.ProviderAssumeRoleWithWebIdentityArgs{
RoleArn: pulumi.StringPtr("arn:aws:iam::123456789012:role/GitHubActionsRole"),
WebIdentityTokenFile: pulumi.StringPtr(os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")),
SessionName: pulumi.StringPtr("GitHubActions"),
},
})
if err != nil {
return err
}Supporting Types
ProviderAssumeRoleArgs
type ProviderAssumeRoleArgs struct {
// Duration of the role session (between 15 minutes and 12 hours).
// Valid time units: ns, us (or µs), ms, s, h, m.
// Default: 1 hour.
Duration pulumi.StringPtrInput
// Unique identifier required when assuming a role in another account.
// Used to prevent the confused deputy problem.
ExternalId pulumi.StringPtrInput
// IAM Policy JSON to further restrict permissions for the assumed role.
// This policy is applied as an inline session policy.
Policy pulumi.StringPtrInput
// ARNs of IAM Policies to further restrict permissions for the assumed role.
// These are managed policies applied as session policies (max 10).
PolicyArns pulumi.StringArrayInput
// ARN of the IAM Role to assume prior to making API calls.
// Format: arn:aws:iam::ACCOUNT:role/ROLE-NAME
RoleArn pulumi.StringPtrInput
// Identifier for the assumed role session.
// Appears in CloudTrail logs to identify who assumed the role.
SessionName pulumi.StringPtrInput
// Source identity specified by the principal assuming the role.
// Passed through to CloudTrail logs.
SourceIdentity pulumi.StringPtrInput
// Session tags for the assumed role session.
// Can be used for attribute-based access control (ABAC).
Tags pulumi.StringMapInput
// Session tag keys to pass to any subsequent sessions.
// Used for tag propagation in chained role assumptions.
TransitiveTagKeys pulumi.StringArrayInput
}Example with session policies:
provider, err := aws.NewProvider(ctx, "restricted", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AssumeRoles: aws.ProviderAssumeRoleArray{
&aws.ProviderAssumeRoleArgs{
RoleArn: pulumi.StringPtr("arn:aws:iam::123456789012:role/AdminRole"),
SessionName: pulumi.StringPtr("PulumiRestrictedSession"),
// Restrict to only S3 operations via session policy
Policy: pulumi.StringPtr(`{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}]
}`),
Duration: pulumi.StringPtr("2h"),
Tags: pulumi.StringMap{
"Project": pulumi.String("infrastructure"),
"Environment": pulumi.String("production"),
},
TransitiveTagKeys: pulumi.StringArray{
pulumi.String("Project"),
pulumi.String("Environment"),
},
},
},
})ProviderAssumeRoleWithWebIdentityArgs
type ProviderAssumeRoleWithWebIdentityArgs struct {
// Duration of the role session (between 15 minutes and 12 hours).
// Valid time units: ns, us (or µs), ms, s, h, m.
Duration pulumi.StringPtrInput
// IAM Policy JSON to further restrict permissions for the assumed role.
Policy pulumi.StringPtrInput
// ARNs of IAM Policies to further restrict permissions for the assumed role.
PolicyArns pulumi.StringArrayInput
// ARN of the IAM Role to assume prior to making API calls.
// This role must have a trust policy allowing OIDC federation.
RoleArn pulumi.StringPtrInput
// Identifier for the assumed role session.
SessionName pulumi.StringPtrInput
// Web identity token value (inline token string).
// Mutually exclusive with WebIdentityTokenFile.
WebIdentityToken pulumi.StringPtrInput
// Path to a file containing a web identity token.
// Mutually exclusive with WebIdentityToken.
// Common paths: /var/run/secrets/eks.amazonaws.com/serviceaccount/token (EKS)
WebIdentityTokenFile pulumi.StringPtrInput
}ProviderDefaultTagsArgs
Configures default tags applied to all resources managed by this provider instance. Individual resource tags take precedence over default tags when keys conflict.
Tag Merging Behavior:
- Resource tags override default tags for the same key
- Tags from both sources are merged
- Some AWS services have tag limits (often 50 tags)
type ProviderDefaultTagsArgs struct {
// Key-value map of tags to apply to all resources.
// Each key can also be set via env: TF_AWS_DEFAULT_TAGS_<tag_name>.
Tags pulumi.StringMapInput
}Example:
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
DefaultTags: &aws.ProviderDefaultTagsArgs{
Tags: pulumi.StringMap{
"Environment": pulumi.String("production"),
"Team": pulumi.String("platform"),
"ManagedBy": pulumi.String("pulumi"),
"CostCenter": pulumi.String("engineering"),
},
},
})
if err != nil {
return err
}
// Resource will have default tags plus its own tags
bucket, err := s3.NewBucketV2(ctx, "app-bucket", &s3.BucketV2Args{
Bucket: pulumi.String("my-app-bucket"),
Tags: pulumi.StringMap{
"Application": pulumi.String("web-app"), // Merged with default tags
"Team": pulumi.String("frontend"), // Overrides default "platform"
},
}, pulumi.Provider(provider))
// Resulting tags: Environment=production, Team=frontend, ManagedBy=pulumi,
// CostCenter=engineering, Application=web-appProviderIgnoreTagsArgs
Configures tag keys and key prefixes to ignore on all resources. Useful when external systems (e.g., AWS Cost Explorer, tag policies, Kubernetes controllers) manage certain tags that Pulumi should not track.
Use Cases:
- Kubernetes-managed tags (kubernetes.io/, eks.amazonaws.com/)
- AWS-managed tags (aws:*)
- Auto Scaling group tags
- Cost allocation tags managed by FinOps tools
type ProviderIgnoreTagsArgs struct {
// Tag key prefixes to ignore across all resources.
// Env: TF_AWS_IGNORE_TAGS_KEY_PREFIXES
KeyPrefixes pulumi.StringArrayInput
// Exact tag keys to ignore across all resources.
// Env: TF_AWS_IGNORE_TAGS_KEYS
Keys pulumi.StringArrayInput
}Example:
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
IgnoreTags: &aws.ProviderIgnoreTagsArgs{
Keys: pulumi.StringArray{
pulumi.String("LastDeployedBy"),
pulumi.String("LastDeployedAt"),
},
KeyPrefixes: pulumi.StringArray{
pulumi.String("aws:"), // AWS-managed tags
pulumi.String("kubernetes.io/"), // Kubernetes tags
pulumi.String("eks.amazonaws.com/"), // EKS tags
pulumi.String("autoscaling:"), // Auto Scaling tags
},
},
})
if err != nil {
return err
}ProviderEndpointArgs
Overrides the default service endpoint URLs. Each field corresponds to an AWS service identifier. All fields have the same type (pulumi.StringPtrInput) and the same semantics: provide a custom URL to override the default endpoint for that service.
Use Cases:
- LocalStack testing
- VPC endpoints for private connectivity
- AWS GovCloud or China regions
- Custom AWS-compatible services
type ProviderEndpointArgs struct {
// Override endpoint for Access Analyzer
Accessanalyzer pulumi.StringPtrInput
// Override endpoint for Account
Account pulumi.StringPtrInput
// Override endpoint for ACM
Acm pulumi.StringPtrInput
// Override endpoint for ACM PCA
Acmpca pulumi.StringPtrInput
// Override endpoint for Amazon Managed Grafana
Amg pulumi.StringPtrInput
// Override endpoint for Amazon Managed Prometheus
Amp pulumi.StringPtrInput
// Override endpoint for API Gateway (REST)
Apigateway pulumi.StringPtrInput
// Override endpoint for API Gateway V2 (HTTP/WebSocket)
Apigatewayv2 pulumi.StringPtrInput
// Override endpoint for Application Auto Scaling
Appautoscaling pulumi.StringPtrInput
// Override endpoint for AppConfig
Appconfig pulumi.StringPtrInput
// Override endpoint for Athena
Athena pulumi.StringPtrInput
// Override endpoint for Auto Scaling
Autoscaling pulumi.StringPtrInput
// Override endpoint for Backup
Backup pulumi.StringPtrInput
// Override endpoint for Batch
Batch pulumi.StringPtrInput
// Override endpoint for Bedrock
Bedrock pulumi.StringPtrInput
// Override endpoint for CloudFormation
Cloudformation pulumi.StringPtrInput
// Override endpoint for CloudFront
Cloudfront pulumi.StringPtrInput
// Override endpoint for CloudTrail
Cloudtrail pulumi.StringPtrInput
// Override endpoint for CloudWatch
Cloudwatch pulumi.StringPtrInput
// Override endpoint for CloudWatch Logs
Cloudwatchlogs pulumi.StringPtrInput
// Override endpoint for CodeBuild
Codebuild pulumi.StringPtrInput
// Override endpoint for CodeDeploy
Codedeploy pulumi.StringPtrInput
// Override endpoint for CodePipeline
Codepipeline pulumi.StringPtrInput
// Override endpoint for Cognito Identity
Cognitoidentity pulumi.StringPtrInput
// Override endpoint for Cognito IDP
Cognitoidp pulumi.StringPtrInput
// Override endpoint for DynamoDB
Dynamodb pulumi.StringPtrInput
// Override endpoint for EC2
Ec2 pulumi.StringPtrInput
// Override endpoint for ECR
Ecr pulumi.StringPtrInput
// Override endpoint for ECS
Ecs pulumi.StringPtrInput
// Override endpoint for EKS
Eks pulumi.StringPtrInput
// Override endpoint for ElastiCache
Elasticache pulumi.StringPtrInput
// Override endpoint for Elasticsearch Service
Elasticsearch pulumi.StringPtrInput
// Override endpoint for ELB (Classic)
Elb pulumi.StringPtrInput
// Override endpoint for ELBv2 (ALB/NLB)
Elbv2 pulumi.StringPtrInput
// Override endpoint for EventBridge
Events pulumi.StringPtrInput
// Override endpoint for Glacier
Glacier pulumi.StringPtrInput
// Override endpoint for Glue
Glue pulumi.StringPtrInput
// Override endpoint for IAM
Iam pulumi.StringPtrInput
// Override endpoint for Kinesis
Kinesis pulumi.StringPtrInput
// Override endpoint for KMS
Kms pulumi.StringPtrInput
// Override endpoint for Lambda
Lambda pulumi.StringPtrInput
// Override endpoint for Macie2
Macie2 pulumi.StringPtrInput
// Override endpoint for MSK
Kafka pulumi.StringPtrInput
// Override endpoint for RDS
Rds pulumi.StringPtrInput
// Override endpoint for Redshift
Redshift pulumi.StringPtrInput
// Override endpoint for Route 53
Route53 pulumi.StringPtrInput
// Override endpoint for S3
S3 pulumi.StringPtrInput
// Override endpoint for S3 Control
S3control pulumi.StringPtrInput
// Override endpoint for Secrets Manager
Secretsmanager pulumi.StringPtrInput
// Override endpoint for SES
Ses pulumi.StringPtrInput
// Override endpoint for SNS
Sns pulumi.StringPtrInput
// Override endpoint for SQS
Sqs pulumi.StringPtrInput
// Override endpoint for SSM
Ssm pulumi.StringPtrInput
// Override endpoint for STS
Sts pulumi.StringPtrInput
// Override endpoint for WAF
Waf pulumi.StringPtrInput
// Override endpoint for WAFv2
Wafv2 pulumi.StringPtrInput
// ... additional service endpoints available for all AWS services
}Example (LocalStack):
localstackEndpoint := "http://localhost:4566"
provider, err := aws.NewProvider(ctx, "localstack", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AccessKey: pulumi.StringPtr("test"),
SecretKey: pulumi.StringPtr("test"),
SkipCredentialsValidation: pulumi.BoolPtr(true),
SkipMetadataApiCheck: pulumi.BoolPtr(true),
SkipRequestingAccountId: pulumi.BoolPtr(true),
Endpoints: aws.ProviderEndpointArray{
&aws.ProviderEndpointArgs{
S3: pulumi.StringPtr(localstackEndpoint),
Sqs: pulumi.StringPtr(localstackEndpoint),
Lambda: pulumi.StringPtr(localstackEndpoint),
Iam: pulumi.StringPtr(localstackEndpoint),
Sts: pulumi.StringPtr(localstackEndpoint),
Dynamodb: pulumi.StringPtr(localstackEndpoint),
Sns: pulumi.StringPtr(localstackEndpoint),
Cloudwatch: pulumi.StringPtr(localstackEndpoint),
},
},
})
if err != nil {
return err
}Example (VPC Endpoints):
// Use VPC endpoints for private connectivity
provider, err := aws.NewProvider(ctx, "vpc-private", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
Endpoints: aws.ProviderEndpointArray{
&aws.ProviderEndpointArgs{
S3: pulumi.StringPtr("https://vpce-1234567-abcdefg.s3.us-east-1.vpce.amazonaws.com"),
Ec2: pulumi.StringPtr("https://vpce-2345678-bcdefgh.ec2.us-east-1.vpce.amazonaws.com"),
},
},
})
if err != nil {
return err
}Complete Configuration Example
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
provider, err := aws.NewProvider(ctx, "production", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
Profile: pulumi.StringPtr("production"),
AssumeRoles: aws.ProviderAssumeRoleArray{
&aws.ProviderAssumeRoleArgs{
RoleArn: pulumi.StringPtr("arn:aws:iam::123456789012:role/DeployRole"),
SessionName: pulumi.StringPtr("PulumiDeploy"),
Duration: pulumi.StringPtr("2h"),
},
},
DefaultTags: &aws.ProviderDefaultTagsArgs{
Tags: pulumi.StringMap{
"Environment": pulumi.String("production"),
"ManagedBy": pulumi.String("pulumi"),
"Project": pulumi.String(ctx.Project()),
"Stack": pulumi.String(ctx.Stack()),
},
},
IgnoreTags: &aws.ProviderIgnoreTagsArgs{
KeyPrefixes: pulumi.StringArray{
pulumi.String("aws:"),
pulumi.String("kubernetes.io/"),
pulumi.String("eks.amazonaws.com/"),
},
Keys: pulumi.StringArray{
pulumi.String("LastModifiedBy"),
pulumi.String("LastModifiedDate"),
},
},
MaxRetries: pulumi.IntPtr(10),
RetryMode: pulumi.StringPtr("adaptive"),
})
if err != nil {
return err
}
_ = provider
return nil
})
}Advanced Patterns
Multi-Region Deployment
Deploy resources across multiple regions using multiple providers:
// Primary region provider
usEast1, err := aws.NewProvider(ctx, "us-east-1", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
})
if err != nil {
return err
}
// Secondary region provider
usWest2, err := aws.NewProvider(ctx, "us-west-2", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-west-2"),
})
if err != nil {
return err
}
// Deploy to both regions
eastBucket, err := s3.NewBucketV2(ctx, "east-bucket", &s3.BucketV2Args{
Bucket: pulumi.String("my-app-us-east-1"),
}, pulumi.Provider(usEast1))
if err != nil {
return err
}
westBucket, err := s3.NewBucketV2(ctx, "west-bucket", &s3.BucketV2Args{
Bucket: pulumi.String("my-app-us-west-2"),
}, pulumi.Provider(usWest2))
if err != nil {
return err
}Cross-Account Deployment
Deploy resources to multiple AWS accounts:
// Account A provider
accountA, err := aws.NewProvider(ctx, "account-a", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
Profile: pulumi.StringPtr("account-a"),
})
if err != nil {
return err
}
// Account B provider (via role assumption)
accountB, err := aws.NewProvider(ctx, "account-b", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AssumeRoles: aws.ProviderAssumeRoleArray{
&aws.ProviderAssumeRoleArgs{
RoleArn: pulumi.StringPtr("arn:aws:iam::999999999999:role/CrossAccountDeployRole"),
ExternalId: pulumi.StringPtr("external-id-for-account-b"),
SessionName: pulumi.StringPtr("PulumiAccountBDeploy"),
},
},
})
if err != nil {
return err
}
// Deploy to Account A
bucketA, err := s3.NewBucketV2(ctx, "bucket-a", &s3.BucketV2Args{
Bucket: pulumi.String("account-a-bucket"),
}, pulumi.Provider(accountA))
// Deploy to Account B
bucketB, err := s3.NewBucketV2(ctx, "bucket-b", &s3.BucketV2Args{
Bucket: pulumi.String("account-b-bucket"),
}, pulumi.Provider(accountB))Account Protection
Prevent accidental deployment to wrong accounts:
provider, err := aws.NewProvider(ctx, "production", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
// Only allow deployment to production account
AllowedAccountIds: pulumi.StringArray{
pulumi.String("123456789012"), // Production account only
},
// Explicitly forbid deployment to dev/test accounts
ForbiddenAccountIds: pulumi.StringArray{
pulumi.String("111111111111"), // Dev account
pulumi.String("222222222222"), // Test account
},
})
if err != nil {
return err
}
// Deployment will fail if current credentials are for wrong accountRetry Configuration
Configure aggressive retries for unreliable networks or high-traffic scenarios:
provider, err := aws.NewProvider(ctx, "resilient", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
MaxRetries: pulumi.IntPtr(25), // Increase from default ~10
RetryMode: pulumi.StringPtr("adaptive"), // Adaptive retry with exponential backoff
})
if err != nil {
return err
}Proxy Configuration
Route AWS API calls through a proxy:
provider, err := aws.NewProvider(ctx, "proxied", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
HttpsProxy: pulumi.StringPtr("https://corporate-proxy.example.com:8080"),
NoProxy: pulumi.StringPtr("169.254.169.254,localhost,127.0.0.1"), // Bypass proxy for IMDS
})
if err != nil {
return err
}Provider Selection Strategy
Default Provider
When no explicit provider is passed, resources use the default provider:
// Uses default provider (from Pulumi config or environment)
bucket, err := s3.NewBucketV2(ctx, "bucket", &s3.BucketV2Args{
Bucket: pulumi.String("my-bucket"),
})Explicit Provider
Pass a custom provider to individual resources:
customProvider, err := aws.NewProvider(ctx, "custom", &aws.ProviderArgs{
Region: pulumi.StringPtr("eu-west-1"),
})
if err != nil {
return err
}
// Uses custom provider
bucket, err := s3.NewBucketV2(ctx, "bucket", &s3.BucketV2Args{
Bucket: pulumi.String("my-eu-bucket"),
}, pulumi.Provider(customProvider))Provider Inheritance
Child resources inherit the provider from their parent:
customProvider, err := aws.NewProvider(ctx, "custom", &aws.ProviderArgs{
Region: pulumi.StringPtr("ap-southeast-1"),
})
if err != nil {
return err
}
// Parent VPC uses custom provider
vpc, err := ec2.NewVpc(ctx, "vpc", &ec2.VpcArgs{
CidrBlock: pulumi.String("10.0.0.0/16"),
}, pulumi.Provider(customProvider))
if err != nil {
return err
}
// Subnet inherits provider from parent VPC
subnet, err := ec2.NewSubnet(ctx, "subnet", &ec2.SubnetArgs{
VpcId: vpc.ID(),
CidrBlock: pulumi.String("10.0.1.0/24"),
}, pulumi.Parent(vpc)) // Inherits provider from vpcProvider Edge Cases
Edge Case 1: Eventually Consistent Provider Configuration
Provider configuration (especially role assumptions) may take a moment to propagate:
provider, err := aws.NewProvider(ctx, "assumed", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AssumeRoles: aws.ProviderAssumeRoleArray{
&aws.ProviderAssumeRoleArgs{
RoleArn: pulumi.StringPtr("arn:aws:iam::123456789012:role/NewRole"),
SessionName: pulumi.StringPtr("Session"),
},
},
})
if err != nil {
return err
}
// First resource using the provider might fail if role was just created
// Pulumi's retry logic handles this automatically, but be aware of potential delays
bucket, err := s3.NewBucketV2(ctx, "bucket", &s3.BucketV2Args{
Bucket: pulumi.String("my-bucket"),
}, pulumi.Provider(provider))Edge Case 2: Provider in ComponentResources
When creating ComponentResources, pass provider to children:
type MyComponent struct {
pulumi.ResourceState
}
func NewMyComponent(ctx *pulumi.Context, name string, args *MyComponentArgs, opts ...pulumi.ResourceOption) (*MyComponent, error) {
component := &MyComponent{}
err := ctx.RegisterComponentResource("pkg:index:MyComponent", name, component, opts...)
if err != nil {
return nil, err
}
// Extract provider from opts
providerOpt := pulumi.Parent(component)
// Pass provider to child resources
bucket, err := s3.NewBucketV2(ctx, fmt.Sprintf("%s-bucket", name), &s3.BucketV2Args{
Bucket: pulumi.String("my-bucket"),
}, providerOpt, pulumi.Parent(component))
if err != nil {
return nil, err
}
return component, nil
}Edge Case 3: DefaultTags vs Resource Tags
Understanding tag precedence and merging:
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
DefaultTags: &aws.ProviderDefaultTagsArgs{
Tags: pulumi.StringMap{
"Environment": pulumi.String("production"),
"ManagedBy": pulumi.String("pulumi"),
"Team": pulumi.String("platform"),
},
},
})
// Resource-level tags
bucket, err := s3.NewBucketV2(ctx, "bucket", &s3.BucketV2Args{
Bucket: pulumi.String("my-bucket"),
Tags: pulumi.StringMap{
"Application": pulumi.String("web-app"),
"Team": pulumi.String("frontend"), // Overrides default "platform"
},
}, pulumi.Provider(provider))
// Effective tags on bucket:
// Environment: production (from default)
// ManagedBy: pulumi (from default)
// Team: frontend (resource overrides default)
// Application: web-app (from resource)Edge Case 4: Provider for Data Sources
Data sources also use provider configuration:
customProvider, err := aws.NewProvider(ctx, "eu", &aws.ProviderArgs{
Region: pulumi.StringPtr("eu-west-1"),
})
if err != nil {
return err
}
// This data source query uses the custom provider's region
azs, err := aws.GetAvailabilityZones(ctx, &aws.GetAvailabilityZonesArgs{
State: pulumi.StringRef("available"),
}, pulumi.Provider(customProvider))
if err != nil {
return err
}
// Returns AZs in eu-west-1, not the default regionEdge Case 5: S3 Path-Style Addressing
Some S3-compatible services require path-style addressing:
// MinIO or other S3-compatible service
minioProvider, err := aws.NewProvider(ctx, "minio", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AccessKey: pulumi.StringPtr("minioadmin"),
SecretKey: pulumi.StringPtr("minioadmin"),
S3UsePathStyle: pulumi.BoolPtr(true), // Required for MinIO
SkipCredentialsValidation: pulumi.BoolPtr(true),
SkipMetadataApiCheck: pulumi.BoolPtr(true),
SkipRequestingAccountId: pulumi.BoolPtr(true),
SkipRegionValidation: pulumi.BoolPtr(true),
Endpoints: aws.ProviderEndpointArray{
&aws.ProviderEndpointArgs{
S3: pulumi.StringPtr("http://localhost:9000"),
},
},
})
if err != nil {
return err
}Provider Best Practices
1. Use Named Providers for Multi-Region/Account
Always give providers descriptive names:
// ❌ BAD: Generic name
provider1, err := aws.NewProvider(ctx, "provider1", &aws.ProviderArgs{...})
// ✅ GOOD: Descriptive name
usEast1Provider, err := aws.NewProvider(ctx, "us-east-1", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
})
productionProvider, err := aws.NewProvider(ctx, "production-account", &aws.ProviderArgs{
AssumeRoles: aws.ProviderAssumeRoleArray{
&aws.ProviderAssumeRoleArgs{
RoleArn: pulumi.StringPtr("arn:aws:iam::123456789012:role/ProdRole"),
},
},
})2. Set Default Tags Early
Configure default tags at the provider level for consistent tagging:
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
DefaultTags: &aws.ProviderDefaultTagsArgs{
Tags: pulumi.StringMap{
"Environment": pulumi.String(ctx.Stack()),
"Project": pulumi.String(ctx.Project()),
"ManagedBy": pulumi.String("pulumi"),
"Owner": pulumi.String("platform-team"),
},
},
})3. Use Adaptive Retry Mode
Enable adaptive retry mode for better handling of throttling:
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
RetryMode: pulumi.StringPtr("adaptive"), // Better than "standard"
})4. Account Guards for Production
Always use AllowedAccountIds for production providers:
productionProvider, err := aws.NewProvider(ctx, "production", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AllowedAccountIds: pulumi.StringArray{
pulumi.String("123456789012"), // Production account
},
})5. Ignore Infrastructure Tags
Ignore tags managed by external systems:
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
IgnoreTags: &aws.ProviderIgnoreTagsArgs{
KeyPrefixes: pulumi.StringArray{
pulumi.String("aws:"), // AWS-managed
pulumi.String("kubernetes.io/"), // Kubernetes
pulumi.String("eks.amazonaws.com/"), // EKS
pulumi.String("elasticbeanstalk:"), // Elastic Beanstalk
pulumi.String("autoscaling:"), // Auto Scaling
pulumi.String("cloudformation:"), // CloudFormation
pulumi.String("ecs:"), // ECS
},
},
})Troubleshooting Provider Issues
Issue 1: Credentials Not Found
Error: error configuring Pulumi AWS Provider: no valid credential sources foundSolution: Set credentials via environment variables, profile, or provider args:
export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key
export AWS_REGION=us-east-1Or use a profile:
aws configure --profile myprofileprovider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
Profile: pulumi.StringPtr("myprofile"),
})Issue 2: Access Denied When Assuming Role
Error: operation error STS: AssumeRole, https response error StatusCode: 403Solution: Check trust policy on the target role:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNT:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "your-external-id"
}
}
}]
}Issue 3: Rate Limiting / Throttling
Error: operation error EC2: DescribeInstances, https response error StatusCode: 429Solution: Increase MaxRetries and use adaptive retry mode:
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
MaxRetries: pulumi.IntPtr(20),
RetryMode: pulumi.StringPtr("adaptive"),
})Issue 4: Wrong Account Deployment
Error: current AWS account ID (111111111111) is forbiddenSolution: Verify your credentials and AllowedAccountIds/ForbiddenAccountIds settings:
// Check current account
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{})
if err != nil {
return err
}
ctx.Log.Info(fmt.Sprintf("Current account: %s", current.AccountId), nil)Issue 5: Region Mismatch Errors
Error: InvalidBucketName: The specified bucket is not validSolution: Ensure provider region matches resource requirements:
// Some resources require specific regions
usEast1Provider, err := aws.NewProvider(ctx, "us-east-1", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"), // CloudFront ACM certs must be us-east-1
})
// ACM certificate for CloudFront MUST be in us-east-1
cert, err := acm.NewCertificate(ctx, "cdn-cert", &acm.CertificateArgs{
DomainName: pulumi.String("example.com"),
ValidationMethod: pulumi.String("DNS"),
}, pulumi.Provider(usEast1Provider))Provider Configuration Precedence
Provider configuration is resolved in this order (highest to lowest precedence):
- Explicit ProviderArgs fields in code
- Environment variables (AWS_, TF_AWS_)
- Shared credentials/config files (~/.aws/credentials, ~/.aws/config)
- EC2 Instance Metadata Service (IMDS) when running on EC2
- ECS Task Role when running in ECS
- Default values specified by the SDK
Example showing precedence:
// AWS_REGION=us-west-2 set in environment
// ~/.aws/config has region=eu-west-1 for profile "myprofile"
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Profile: pulumi.StringPtr("myprofile"),
Region: pulumi.StringPtr("us-east-1"), // Highest precedence - this wins
})
// Provider will use us-east-1, not us-west-2 or eu-west-1Provider Performance Considerations
Minimize Provider Instances
Each provider instance maintains its own connection pool and credentials cache. Reuse providers when possible:
// ❌ LESS EFFICIENT: New provider for each resource
for i := 0; i < 100; i++ {
provider, err := aws.NewProvider(ctx, fmt.Sprintf("provider-%d", i), &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
})
bucket, err := s3.NewBucketV2(ctx, fmt.Sprintf("bucket-%d", i), &s3.BucketV2Args{
Bucket: pulumi.Sprintf("bucket-%d", i),
}, pulumi.Provider(provider))
}
// ✅ MORE EFFICIENT: Reuse single provider
provider, err := aws.NewProvider(ctx, "shared", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
})
if err != nil {
return err
}
for i := 0; i < 100; i++ {
bucket, err := s3.NewBucketV2(ctx, fmt.Sprintf("bucket-%d", i), &s3.BucketV2Args{
Bucket: pulumi.Sprintf("bucket-%d", i),
}, pulumi.Provider(provider))
if err != nil {
return err
}
}Provider Credential Caching
The provider caches credentials and refreshes them automatically before expiration:
// Temporary credentials (valid for 1 hour)
provider, err := aws.NewProvider(ctx, "aws", &aws.ProviderArgs{
Region: pulumi.StringPtr("us-east-1"),
AssumeRoles: aws.ProviderAssumeRoleArray{
&aws.ProviderAssumeRoleArgs{
RoleArn: pulumi.StringPtr("arn:aws:iam::123456789012:role/MyRole"),
Duration: pulumi.StringPtr("1h"),
},
},
})
// Provider will automatically refresh credentials before they expire
// during long-running operations (e.g., pulumi up taking > 1 hour)Install with Tessl CLI
npx tessl i tessl/golang-github-com-pulumi-pulumi-aws-sdk-v7@7.16.1docs