Improve the error message when there are no valid credentials.

[lukehoban]

The error when there are not valid credentials is quite complex and awkward at the moment.

  aws:lb:LoadBalancer (foobar-alb):
    error: unable to validate AWS credentials.
    Details: no valid credential sources for  found.
    
    Please see
    for more information about providing credentials.
    
    Error: failed to refresh cached credentials, the SSO session has expired or is invalid: access token is expired
    
    
    Make sure you have:
    
         • Set your AWS region, e.g. `pulumi config set aws:region us-west-2`
         • Configured your AWS credentials as per https://pulumi.io/install/aws.html
         You can also set these via cli using `aws configure`.

There are a number of opportunities to improve:

• Fix or remove the missing and misformatted "Please see \n for more ...".
• Remove one or more of the repeated error statements "error: unable to validate AWS credentials.", "Details: no valid credential sources for found.", "Error: failed to refresh cached credentials,". The last of these is necessary and has critical information - the others are nice to have at best.
• Remove the note about AWS region - that is not related to this class of error - and especially as the first bullet - is likely to mislead users on where the problem is - as ~all users who see this will already have taken that action.
• Clean up formatting overall: (1) consistent use of newlines, (2) consistent indentation (see the very last line).

[lukehoban]

This seems to be even worse now. I see this when I have invalid credentials (but notably, do have aws:region set).

Diagnostics:
  pulumi:providers:aws (default_6_2_1):
    error: rpc error: code = Unknown desc = 2 errors occurred:
    	* unable to validate AWS credentials.
    Details: [{0x14008da4000 0x14008d90440}]
    Make sure you have set your AWS region, e.g. `pulumi config set aws:region us-west-2`.

    	* unable to validate AWS credentials.
    Details: [{0x14008d350e0 0x14008e60e20}]
    Make sure you have set your AWS region, e.g. `pulumi config set aws:region us-west-2`.

[mikhailshilkov]

I opened #2858 as a tactical improvement to avoid dumping Go addresses, which should hopefully enough to remove P1 from this.

Now, the experience is still not great. This is what I get after the fix:

Diagnostics:
  pulumi:providers:aws (default_6_4_0):
    error: rpc error: code = Unknown desc = 2 errors occurred:
    	* unable to validate AWS credentials.
    Details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region
    Make sure you have set your AWS region, e.g. `pulumi config set aws:region us-west-2`.
    
    	* unable to validate AWS credentials.
    Details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region
    Make sure you have set your AWS region, e.g. `pulumi config set aws:region us-west-2`.

The next step is to figure out how to:

• Avoid duplicating the message twice
• Avoid showing the rpc error

From my brief investigation:

• We return the diagnostics message as an error from preConfigureCallback here
• It's called from CheckConfigWithContext here. Notably, the error is returned as an RPC error (third result) and not as []plugin.CheckFailure (second result), which I guess causes the RPC error part of UX
• Muxer's CheckConfig, which processes the results of CheckConfigWithContext, has some logic to de-duplicate check failures here, but it doesn't do the same for errors, so the error is returned twice (once for TFPF, once for SDK), which results in the duplicated message

cc @iwahbe @t0yv0 I'm curious to get your thoughts on the above.

[t0yv0]

Good investigation. Yes I think the duplication is certainly stemming from the split design where aws = muxed(aws_pf, aws_sdkv2). Currently muxer broadcasts Configure calls.

From what I've seen earlier, it might be a possibility to not broadcast the calls but only run Configure on sdkv2 for AWS since last time I looked PF branch used a wrapper around the same identical object representing the provider. This is not at the level of confidence though where I would recommend it right away. Thinking further, there might be an opportunity to reduce startup time if we're doing expensive Configure work twice.

Deduplicating errors better is a no-brainer in terms of self rollout.

[t0yv0]

CC @mjeffryes

[iwahbe]

I opened pulumi/pulumi-terraform-bridge#1418 to track muxer error de-duplication in the bridge.

[t0yv0]

Related: pulumi/pulumi-gcp#1236

[mikhailshilkov]

#2858 shipped a fix for hex addresses in the message, so I think I can remove P1 for now.

We'll plan pulumi/pulumi-terraform-bridge#1418 for M96 as the next step.

[VenelinMartinov]

De-duplicating the errors with no valid credentials doesn't fix the issue since the errors are slightly different:

Diagnostics:
  pulumi:providers:aws (default):
    error: rpc error: code = Unknown desc = 2 errors occurred:
    	* unable to validate AWS credentials.
    Details: No valid credential sources found. Please see https://www.pulumi.com/registry/packages/aws/installation-configuration/
    for more information about providing credentials.

    Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded

    Make sure you have set your AWS region, e.g. `pulumi config set aws:region us-west-2`.

    	* unable to validate AWS credentials.
    Details: No valid credential sources found. Please see https://www.pulumi.com/registry/packages/aws/installation-configuration/
    for more information about providing credentials.

    Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via client option, or "AWS_EC2_METADATA_DISABLED" environment variable

    Make sure you have set your AWS region, e.g. `pulumi config set aws:region us-west-2`.

It does however fix the duplicated error message when no region is specified:

  pulumi:providers:aws (default):
    error: rpc error: code = Unknown desc = unable to validate AWS credentials.
    Details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region
    Make sure you have set your AWS region, e.g. `pulumi config set aws:region us-west-2`.

[t0yv0]

Great job on removing duplication @VenelinMartinov ! Can you post how the error message presents with the latest changes, so we can cross-check Luke's concerns above on the message being "quite complex and awkward"? Thank you! We're very close to closing this out.

[VenelinMartinov]

Here is the error which shows when I delete my aws config and login cache:

View in Browser (Ctrl+O): https://app.pulumi.com/venelin-pulumi-corp/aws_bucket_go/dev/previews/d6b31694-92b2-4a07-aa7d-69c85273dfd2

     Type                     Name               Plan       Info
 +   pulumi:pulumi:Stack      aws_bucket_go-dev  create     3 war
     └─ pulumi:providers:aws  default                       1 err

Diagnostics:
  pulumi:providers:aws (default):
    error: rpc error: code = Unknown desc = unable to validate AWS credentials.
    Details: failed to get shared config profile, aws
    Make sure you have set your AWS region, e.g. `pulumi config set aws:region us-west-2`.

    NEW: You can use Pulumi ESC to set up dynamic credentials with AWS OIDC to ensure the correct and valid credentials are used.
    Learn more: https://www.pulumi.com/blog/esc-env-run-aws/

#2949 should now remove all the duplication.