I m seeing some strange behavior around secrets and error lo

Question

I m seeing some strange behavior around secrets and error logging from the `command remote CopyFile` in TypeScript I provide a private key by reading it from a file and then marking it as sensitive data by wrapping its content using `pulumi secret fileContent ` ```const privateKey = pulumi secret fs readFileSync privateKeyFileName toString ``` Note how I don t keep the raw file content around for security purposes and I ve verified that this is the variable I m passing directly as the connection options But if the CopyFile command fails e g the VM is not running it still error logs the raw private key which I don t want in the error logs Weirdly the private key password that I get as a secret from the pulumi config is shown as the expected ` secret ` in the CopyFile error message I m thinking that the CopyFile may use the raw private key value for logging by mistake but I couldn t locate the source code for the CopyFile command in GitHub where is it Is this a bug in CopyFile Edit There appears to be different semantics for the error logging of `pulumi secret ` vs secrets retrieved from config via `config requireSecret ` The former is logged as raw by CopyFile for privateKey exposing the secret the latter error logs as ` secret ` thinking face

powerful-fall-86307 · Answer

Error log from using `pulumi secret` on a string read from the file system as private key ```error command remote CopyFile resource customer test copy property connection value amp map dialErrorLimit 10 port 22 privateKey BEGIN OPENSSH PRIVATE KEY ``` Error log from using `config requireSecret` as private key ```error command remote CopyFile resource customer test copy property connection value amp map dialErrorLimit 10 port 22 privateKey secret privateKeyPassword secret ```

billowy-army-68599 · Answer

please file an issue