https://pulumi.com logo
Title
m

miniature-lion-41490

05/17/2023, 9:25 AM
So a more general question, but is there any risk in sharing the stack file, except showing the actual ressources etc? if you have sensitive outputs, sure, but other than that - does it contain sensitive data? More a general question
s

salmon-account-74572

05/17/2023, 3:10 PM
I don’t believe so, but you can double-check that yourself! Just use
pulumi stack export > file.json
and then review the contents. 🙂
m

miniature-lion-41490

05/17/2023, 3:15 PM
Yes yes i know how to see the state file 😅 that is why I asked. Is it problematic to share it. Can people abuse it. Let's say i just shared it publicly. Would that be bad
s

salmon-account-74572

05/17/2023, 3:18 PM
I wouldn’t share it publicly. It has all the provider-specific identifiers and such for your resources in it.
m

miniature-lion-41490

05/17/2023, 3:20 PM
That is what I am trying to gain insight in. What potential risks are associated if i were to do so?
s

salmon-account-74572

05/17/2023, 3:33 PM
I’m not a security professional, so I can’t really advise you on the risks associated with publicly exposing resource identifiers and other information about your cloud resources. As far as I am aware, I don’t believe it’s recommended, and I (personally) wouldn’t want to expose any information that potential attackers might use to find a weak point in my company’s infrastructure.
m

miniature-lion-41490

05/17/2023, 4:56 PM
That's fair :) i am not intending to, but i am considering the level of encryption or security i should see the stack of. I.e. will an attack on the pulumi be an attack on me. If i had any integration with the buckets the stack is stored in, what is my risk etc. But I'll try to find answers somewhere else. I.e source code is also often not open source, but the risk isn't direct. I am mainly trying to figure out if it's comparable. I am looking into developing integrations that need to skim the stack, and i want to know what risk i am putting potential users at.