Hello does anyone have used `pulumi stack change secrets pro Pulumi Community #aws

Hello, does anyone have used `pulumi stack change-...

hallowed-carpet-28381

07/26/2023, 11:20 AM

Hello, does anyone have used

pulumi stack change-secrets-provider

? Right now just investigate possible way to solve migration case, need to migrate stacks that use

KMS

from one

AWS account

to another, for example stack using

kms-aws-acc1

, in target account this key doesn’t exist, so I would change it e.g to

kms-aws-acc2

, but what can be a problem - I think command works in this way : decrypt secrets using key1 -> using key2 encrypt it again, so pulumi should have an access to both keys in one time. It okay to solve using some cross-accounts

IAM roles

etc., but we can’t specify something source account for each

key

, so pulumi don’t know into which account key is stored, where it should looking for. Please, let me know if someone have similar case, it’s just my thoughts. And I think about something like intermediate

secretProvider

: change secret-provider from

key1

default

passphrase

-> change

aws:allowedAccountIds

, change role to target account -> change secret-provider to

key2

that available in the account Does it’s possible what I have described? Please, let me know your thoughts, experience Thanks!

hallowed-carpet-28381

07/26/2023, 2:00 PM

tested described approach, all what I mentioned looks correct, intermediate provider will work, but still would be grate in someone can share their experience 🙂

fierce-ability-58936

07/26/2023, 9:54 PM

Did you know you can specify an AWS profile for the state backend? https://www.pulumi.com/docs/concepts/state/#aws-s3 Similarly you can set it for the encryption provider - https://www.pulumi.com/docs/concepts/secrets/#available-encryption-providers So the state and the KMS key can be in different accounts.

hallowed-carpet-28381

07/27/2023, 12:20 PM

Cool, thanks, it will simplify the process

Open in Slack

Previous Next