Skip to content
DevOps AI ToolKit
Newsletter
All guides
AI for Pulumi By James Joyner IV · · 8 min read

Pulumi Error: 'no valid credential sources for AWS Provider found' — Cause, Fix, and Troubleshooting Guide

Quick answer

Fix Pulumi's 'no valid credential sources for AWS Provider found' error by configuring AWS credentials via aws configure, AWS_PROFILE, env vars, or SSO.

  • #pulumi
  • #iac
  • #troubleshooting
  • #errors
Free toolkit

Fixing errors like this? Get 500 free DevOps AI prompts

500 copy-paste AI prompts for the stack you actually run — one PDF, free.

Overview

error: no valid credential sources for AWS Provider found means the pulumi-aws provider tried every place it knows to look for AWS credentials — environment variables, shared credentials/config files, SSO cache, EC2/ECS instance metadata — and came up empty (or everything it found was expired). Pulumi cannot call the AWS APIs, so any operation touching an AWS resource fails.

error: no valid credential sources for AWS Provider found.

Please see https://www.pulumi.com/registry/packages/aws/installation-configuration/
for more information about providing credentials.

The provider uses the same credential resolution chain as the AWS CLI and SDKs. If aws sts get-caller-identity fails, Pulumi will fail the same way. Fixing one fixes the other.

Symptoms

  • pulumi preview or pulumi up fails on the first AWS resource with no valid credential sources.
  • aws sts get-caller-identity also errors or hangs.
  • It works locally but fails in CI/CD, or vice versa.
  • It worked yesterday and now fails — a hint that temporary/SSO credentials expired.
  • The message links to the Pulumi AWS installation-configuration page.

Common Root Causes

1. No credentials configured at all

Nothing in the environment, no ~/.aws/credentials, no profile, no instance role. Common on a new machine or a bare CI runner.

$ aws sts get-caller-identity
Unable to locate credentials. You can configure credentials by running "aws configure".

2. Expired temporary or SSO credentials

STS session tokens, assumed-role credentials, and SSO logins are short-lived. Once they expire, the provider finds credentials but they no longer authenticate.

The security token included in the request is expired

3. Wrong or unset profile

You have multiple profiles in ~/.aws/config but Pulumi is looking at the default (or a profile that does not exist). AWS_PROFILE is unset or points at the wrong name.

# the provider defaults to the "default" profile unless told otherwise
echo "$AWS_PROFILE"   # empty -> uses default

4. Missing region combined with a partial config

An unset region can make credential resolution behave unexpectedly, especially with SSO and some endpoint lookups. Pulumi needs aws:region (or AWS_REGION).

5. CI runner without a role or secrets

In GitHub Actions/GitLab/etc., the job never ran an auth step (OIDC role assumption or exported secrets), so the runner has no credentials.

How to Diagnose

The single most useful check — does AWS itself see you?

aws sts get-caller-identity

Show which profile and region are active:

echo "AWS_PROFILE=$AWS_PROFILE"
echo "AWS_REGION=$AWS_REGION"
aws configure list

List configured profiles:

aws configure list-profiles
cat ~/.aws/config

Confirm what Pulumi thinks the region is:

pulumi config get aws:region

If you use SSO, check whether the session is still valid:

aws sso login --profile my-sso-profile
aws sts get-caller-identity --profile my-sso-profile

Fixes

Configure static credentials with the AWS CLI: The simplest path for a workstation.

aws configure
# AWS Access Key ID:     AKIAEXAMPLEPLACEHOLDER
# AWS Secret Access Key: <your-secret-access-key>
# Default region name:   us-east-1
# Default output format:  json

Or export credentials as environment variables: The provider reads these first. Use placeholders — never commit real keys.

export AWS_ACCESS_KEY_ID=AKIAEXAMPLEPLACEHOLDER
export AWS_SECRET_ACCESS_KEY=<your-secret-access-key>
export AWS_REGION=us-east-1
# For temporary credentials, also set the session token:
export AWS_SESSION_TOKEN=<your-session-token>

Select the right profile: Point Pulumi at a named profile via the environment or config.

export AWS_PROFILE=my-profile
# or bake it into the stack:
pulumi config set aws:profile my-profile

Refresh expired SSO / temporary credentials: Re-authenticate, then re-run.

aws sso login --profile my-sso-profile
export AWS_PROFILE=my-sso-profile
pulumi up

Set the region: Pulumi needs a region for the AWS provider.

pulumi config set aws:region us-east-1
# or
export AWS_REGION=us-east-1

In CI/CD, assume a role with OIDC (recommended): No long-lived secrets. With the AWS credentials GitHub Action:

permissions:
  id-token: write
  contents: read
steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/pulumi-deploy
      aws-region: us-east-1
  - run: pulumi up --yes --stack prod

What to Watch Out For

  • Pulumi resolves credentials exactly like the AWS CLI/SDK — aws sts get-caller-identity is your ground truth.
  • Temporary/SSO/assumed-role credentials expire; a job that worked this morning can fail this afternoon.
  • Never commit access keys to Pulumi.<stack>.yaml, source, or CI logs. Prefer OIDC role assumption or a secrets manager.
  • Setting aws:region in stack config keeps behavior consistent across machines and CI.
  • AWS_PROFILE in your shell can silently override pulumi config set aws:profile; know which one is winning.
  • Instance/task roles (EC2/ECS/EKS) count as a credential source — on those hosts you may not need any local config.
Free download · 368-page PDF

Get 500 Battle-Tested DevOps AI Prompts — Free

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.