https://pulumi.com logo
Join Slack
Powered by
I'm seeing some strange behavior around secrets an...
# general
p
I'm seeing some strange behavior around secrets and error logging from the 
command:remote:CopyFile
in TypeScript. I provide a private key by reading it from a file, and then marking it as sensitive data by wrapping its content using 
pulumi.secret(fileContent)
.
Copy code
const privateKey = pulumi.secret(fs.readFileSync(privateKeyFileName).toString())
Note how I don't keep the raw file content around for security purposes, and I've verified that this is the variable I'm passing directly as the connection options. But if the CopyFile command fails, e.g. the VM is not running, it still error logs the raw private key - which I don't want in the error logs. Weirdly the private key password that I get as a secret from the pulumi config is shown as the expected 
[secret]
in the CopyFile error message. I'm thinking that the CopyFile may use the raw private key value for logging by mistake, but I couldn't locate the source code for the CopyFile command in GitHub (where is it??). Is this a bug in CopyFile? Edit: There appears to be different semantics for the error logging of 
pulumi.secret()
vs secrets retrieved from config via 
config.requireSecret()
. The former is logged as raw by CopyFile for privateKey, exposing the secret, the latter error logs as 
[secret]
🤔
Error log from using 
pulumi.secret
on a string read from the file system as private key:
Copy code
error: command:remote:CopyFile resource 'customer-test-copy': property connection value {&{{map[dialErrorLimit:{10} port:{22} privateKey:{-----BEGIN OPENSSH PRIVATE KEY-----
Error log from using 
config.requireSecret
as private key:
Copy code
error: command:remote:CopyFile resource 'customer-test-copy': property connection value {&{{map[dialErrorLimit:{10} port:{22} privateKey:{[secret]} privateKeyPassword:{[secret]}
b
please file an issue
Open in Slack
PreviousNext
Powered by