https://pulumi.com logo
#general
Title
# general
h

helpful-secretary-93852

06/23/2023, 3:06 PM
Good morning (or evening) everybody! ❤️ It's been days that's i've been really stuck on an issue on secrets and pulumi yaml. i can't prevent secrets not to be exposed plaintext on resource properties. is there a way to do that?
Copy code
sshCommands:
    type: command:remote:Command
    properties:
      connection:
        host: ${debianserver.ipv4Address}
        user: user
        privateKey: ${AUTHORIZED_PRIVATE_KEY}
        port: 22
      create: echo ''
    options:
      additionalSecretOutputs:
        - create
        - connection
where "AUTHORIZED_PRIVATE_KEY" is a secret declared in the config-map of my github-ci pipeline (marked "secret": true) but then the input (whereas the output is ok) is exposed to the state in plaintext
Copy code
"inputs": {
                    "connection": {
                        "host": "1.1.1.1",
                        "port": 22,
                        "privateKey": "-----BEGIN OPENSSH PRIVATE KEY----- ...",
                        "user": "user"
                    },
                    "create": "echo ''"
                },
b

billowy-army-68599

06/23/2023, 3:08 PM
Have you set it as a secret in your Pulumi config?
h

helpful-secretary-93852

06/23/2023, 3:10 PM
yes, i've set "secret": true in the config.map property of the github pipeline
b

billowy-army-68599

06/23/2023, 3:10 PM
Pulumi doesn’t have any information about that. You need to set it as a secret in Pulumi
You need to use fn:Secret
h

helpful-secretary-93852

06/23/2023, 3:11 PM
but i see from the pulumi web interface that it correctly identifies the variable as a secret, marking it as "encrypted" on the configuration tab
b

billowy-army-68599

06/23/2023, 3:12 PM
If that’s the case, it’s a bug, and would be good to open an issue
h

helpful-secretary-93852

06/23/2023, 3:13 PM
mmh that's right
for example, in the ci output, it replaces the varaibles with "[secret]"
the only thing plaintext remaining are the input properties
b

billowy-army-68599

06/23/2023, 3:22 PM
Okay that’s a bug, please file an issue
h

helpful-secretary-93852

06/23/2023, 3:23 PM
ok, i will do it, thanks
in regard to this bug report, i've open an issue here: https://github.com/pulumi/pulumi/issues/13286 in case someone experienced the same problem or wants to help 🤟
@billowy-army-68599 Can you help me with this issue? According to a collegue of yours the issue is in the missing fn:Secret. Do you agree?
How do i use fn:Secret?
2 Views