AWS IAM and other services don´t work anymore (TLS issue)

[timlukastlt]

Describe what happened

Pulumi is attempting to make a request to iam.amazonaws.com but uses TLS 1.0. Since AWS only supports higher versions of TLS, the request is blocked, as shown in the image below:

For sts as an example the requests from Pulumi are working because is uses TLS3.

Sample program

import pulumi
import pulumi_aws as aws

example = aws.iam.get_role(name="example-iam-role")

Log output

The programm just shows creating... for one hour (55-65 minutes)
After that it shows that the connection to iam.amazonaws.com was not possible.

Affected Resource(s)

We got this error for iam

Output of pulumi about

CLI         
Version     3.134.1
Go Version   go1.23.1
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  aws     6.53.0
language  python  unknown

Host    
OS       debian
Version  12.7
Arch     x86_64

This project is written in python: executable='/app/venv/bin/python' version='3.9.20'

Backend       
Name           3fd5c982165b
URL            s3://our-bucket/test123
User           root
Organizations 
Token type     personal

Dependencies:
NAME        VERSION
pip         23.0.1
pulumi_aws  6.53.0
setuptools  58.1.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[flostadler]

I'm sorry you're running into this @timlukastlt. I'm starting to investigate it and will provide updates as soon as possible!

[flostadler]

@timlukastlt I'm not yet able to reproduce this on my end, but I'm strongly convinced that this was caused by upgrading the provider to use Go 1.23.
This Go update introduced a minor change to the crypto/tls standard library package that seemed to trip up the AWS firewalls.
The upstream provider was affected by this same problem. They fixed it by disabling this experimental key exchange mechanism.
We should do the same on our end as a short term workaround.

@timlukastlt can you try downgrading pulumi-aws to v6.50.1. This one is still using Go 1.22 and shouldn't be affected.

[flostadler]

I created a PR that should fix this problem: #4583
Also opened #4582 to correlate other issues and track a long term fix

[timlukastlt]

@flostadler thank you for investigating this issue so promptly. I tested with version v6.50.1, and it works with that one.👍

[flostadler]

The fix got merged, I kicked off a release that should complete in the next hours

[pulumi-bot]

This issue has been addressed in PR #4583 and shipped in release v6.54.1.