Pulumi Error: 'no valid credential sources for AWS Provider found' — Cause, Fix, and Troubleshooting Guide
Fix Pulumi's 'no valid credential sources for AWS Provider found' error by configuring AWS credentials via aws configure, AWS_PROFILE, env vars, or SSO.
- #pulumi
- #iac
- #troubleshooting
- #errors
Fixing errors like this? Get 500 free DevOps AI prompts
500 copy-paste AI prompts for the stack you actually run — one PDF, free.
Overview
error: no valid credential sources for AWS Provider found means the pulumi-aws provider tried every place it knows to look for AWS credentials — environment variables, shared credentials/config files, SSO cache, EC2/ECS instance metadata — and came up empty (or everything it found was expired). Pulumi cannot call the AWS APIs, so any operation touching an AWS resource fails.
error: no valid credential sources for AWS Provider found.
Please see https://www.pulumi.com/registry/packages/aws/installation-configuration/
for more information about providing credentials.
The provider uses the same credential resolution chain as the AWS CLI and SDKs. If aws sts get-caller-identity fails, Pulumi will fail the same way. Fixing one fixes the other.
Symptoms
pulumi previeworpulumi upfails on the first AWS resource withno valid credential sources.aws sts get-caller-identityalso errors or hangs.- It works locally but fails in CI/CD, or vice versa.
- It worked yesterday and now fails — a hint that temporary/SSO credentials expired.
- The message links to the Pulumi AWS installation-configuration page.
Common Root Causes
1. No credentials configured at all
Nothing in the environment, no ~/.aws/credentials, no profile, no instance role. Common on a new machine or a bare CI runner.
$ aws sts get-caller-identity
Unable to locate credentials. You can configure credentials by running "aws configure".
2. Expired temporary or SSO credentials
STS session tokens, assumed-role credentials, and SSO logins are short-lived. Once they expire, the provider finds credentials but they no longer authenticate.
The security token included in the request is expired
3. Wrong or unset profile
You have multiple profiles in ~/.aws/config but Pulumi is looking at the default (or a profile that does not exist). AWS_PROFILE is unset or points at the wrong name.
# the provider defaults to the "default" profile unless told otherwise
echo "$AWS_PROFILE" # empty -> uses default
4. Missing region combined with a partial config
An unset region can make credential resolution behave unexpectedly, especially with SSO and some endpoint lookups. Pulumi needs aws:region (or AWS_REGION).
5. CI runner without a role or secrets
In GitHub Actions/GitLab/etc., the job never ran an auth step (OIDC role assumption or exported secrets), so the runner has no credentials.
How to Diagnose
The single most useful check — does AWS itself see you?
aws sts get-caller-identity
Show which profile and region are active:
echo "AWS_PROFILE=$AWS_PROFILE"
echo "AWS_REGION=$AWS_REGION"
aws configure list
List configured profiles:
aws configure list-profiles
cat ~/.aws/config
Confirm what Pulumi thinks the region is:
pulumi config get aws:region
If you use SSO, check whether the session is still valid:
aws sso login --profile my-sso-profile
aws sts get-caller-identity --profile my-sso-profile
Fixes
Configure static credentials with the AWS CLI: The simplest path for a workstation.
aws configure
# AWS Access Key ID: AKIAEXAMPLEPLACEHOLDER
# AWS Secret Access Key: <your-secret-access-key>
# Default region name: us-east-1
# Default output format: json
Or export credentials as environment variables: The provider reads these first. Use placeholders — never commit real keys.
export AWS_ACCESS_KEY_ID=AKIAEXAMPLEPLACEHOLDER
export AWS_SECRET_ACCESS_KEY=<your-secret-access-key>
export AWS_REGION=us-east-1
# For temporary credentials, also set the session token:
export AWS_SESSION_TOKEN=<your-session-token>
Select the right profile: Point Pulumi at a named profile via the environment or config.
export AWS_PROFILE=my-profile
# or bake it into the stack:
pulumi config set aws:profile my-profile
Refresh expired SSO / temporary credentials: Re-authenticate, then re-run.
aws sso login --profile my-sso-profile
export AWS_PROFILE=my-sso-profile
pulumi up
Set the region: Pulumi needs a region for the AWS provider.
pulumi config set aws:region us-east-1
# or
export AWS_REGION=us-east-1
In CI/CD, assume a role with OIDC (recommended): No long-lived secrets. With the AWS credentials GitHub Action:
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/pulumi-deploy
aws-region: us-east-1
- run: pulumi up --yes --stack prod
What to Watch Out For
- Pulumi resolves credentials exactly like the AWS CLI/SDK —
aws sts get-caller-identityis your ground truth. - Temporary/SSO/assumed-role credentials expire; a job that worked this morning can fail this afternoon.
- Never commit access keys to
Pulumi.<stack>.yaml, source, or CI logs. Prefer OIDC role assumption or a secrets manager. - Setting
aws:regionin stack config keeps behavior consistent across machines and CI. AWS_PROFILEin your shell can silently overridepulumi config set aws:profile; know which one is winning.- Instance/task roles (EC2/ECS/EKS) count as a credential source — on those hosts you may not need any local config.
Related Guides
- Pulumi Error: ‘invalid configuration key’ — Troubleshooting Guide
- Pulumi Error: ‘unmarshalling properties’ — Troubleshooting Guide
- Pulumi Error: ‘update failed’ — Troubleshooting Guide
Get 500 Battle-Tested DevOps AI Prompts — Free
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.