powerful-fall-86307
03/19/2023, 8:46 AMcommand:remote:CopyFile
in TypeScript.
I provide a private key by reading it from a file, and then marking it as sensitive data by wrapping its content using pulumi.secret(fileContent)
.
const privateKey = pulumi.secret(fs.readFileSync(privateKeyFileName).toString())
Note how I don't keep the raw file content around for security purposes, and I've verified that this is the variable I'm passing directly as the connection options.
But if the CopyFile command fails, e.g. the VM is not running, it still error logs the raw private key - which I don't want in the error logs.
Weirdly the private key password that I get as a secret from the pulumi config is shown as the expected [secret]
in the CopyFile error message. I'm thinking that the CopyFile may use the raw private key value for logging by mistake, but I couldn't locate the source code for the CopyFile command in GitHub (where is it??). Is this a bug in CopyFile?
Edit: There appears to be different semantics for the error logging of pulumi.secret()
vs secrets retrieved from config via config.requireSecret()
. The former is logged as raw by CopyFile for privateKey, exposing the secret, the latter error logs as [secret]
🤔pulumi.secret
on a string read from the file system as private key:
error: command:remote:CopyFile resource 'customer-test-copy': property connection value {&{{map[dialErrorLimit:{10} port:{22} privateKey:{-----BEGIN OPENSSH PRIVATE KEY-----
Error log from using config.requireSecret
as private key:
error: command:remote:CopyFile resource 'customer-test-copy': property connection value {&{{map[dialErrorLimit:{10} port:{22} privateKey:{[secret]} privateKeyPassword:{[secret]}
billowy-army-68599
03/19/2023, 4:02 PM