Hi again! When developing a provider, what is the best practice for storing a secret such as an API key that will be used to create/update the resources?

Your build platform should provide some options around this. Since you're using GitHub, that would be Encrypted Secrets: https://docs.github.com/en/actions/security-guides/encrypted-secrets

Hi @little-cartoon-10569 thank you for your response! I’m looking for a way that a user of my provider could store their own API key to a service like Jotform. Unless I’m missing something I don’t think Github is the first choice for that? Perhaps Pulumi config secrets are a best practice in this case?

What's the relationship between your Pulumi stacks and your user? Is it one:one? Secrets in stack files are a viable option for this. You can use GitHub secrets if you want a separate pipeline per stack; I don't think there are branch-level secrets in GitHub, so a branch per stack wouldn't help. You could also move the secrets to a vault somewhere, and store the (non-secret) address of the secret in your Pulumi config.

They would usually be passed to a provider with configuration values or environment variables. The same way you set AWS authentication, for example.

@little-cartoon-10569 Like

pulumi-aws

I expect (hope) many people would use this provider in different configurations and different numbers of people. And not everyone would use GitHub. I’ll look into it though, as well as other vaults. Thank you!

Yes, all user-specific configuration would need to be passed to the provider as a constructor argument. Your provider mustn't care how the user stores it.

@little-cartoon-10569 I think I have explored enough to ask you for elaboration. Bear with me while I set it up, as I’m a long time Pythoner first time Go-er: As a Pulumi user, I might do something like this in Python to set up some AWS resources in the us-east-2 region:

import pulumi_aws
provider = pulumi_aws.Provider("awseast", region="us-east-2")
bucket = aws.s3.Bucket("bucket", ...) # etc

Let’s say I want to modify the pulumi-provider-boilerplate to call a REST API to GET a random number. I want my Python pulumi project to use the same pattern as the AWS provider, by passing api_key to the provider constructor:

import pulumi_xyz
provider = pulumi_xyz.Provider("myprovider", api_key="my_api_key")
myrandom = provider.Random("myrandom", length=2)

So my question is, do you know what part of the boilerplate code I would need to change so that (1) I can make my eventual Python code look like that and (2) the provider has a saved api key available at the time

Random.Create()

(in provider/provider.go ) is called?

I don't, sorry. I'm not sure why the provider would even save an API key. Wouldn't it just get an object that talks to the real provider and keep that? Keeping a key in memory is something I generally try to avoid.

cc @ancient-policeman-24615 to help with the native provider setup

Ok, thanks! What do you mean by the “real” provider in this case?

I was trying to distinguish between the provider resource / library (e.g. pulumi-aws, or an instance of

@pulumi/aws/Provider

) and AWS. The aws Provider instance makes a connection to AWS (the "real provider"), but (I hope) it doesn't retain in memory the credentials used to make that connection.