millions-train-91139
11/08/2023, 7:17 AMreadonly
permissions on some stacks.
I assumed running pulumi preview
will work just fine.
It does, but after showing a correct preview it if fails with:
error: failed to encrypt secret value: [404] Not Found: Stack 'my-stack' not found
When I give it write
permissions on the stack, it succeeds.
Why does it try to encrypt anything on preview
, seems like a bugdeployment.go
var ciphertext string
if cachingCrypter, ok := enc.(*cachingCrypter); ok {
ciphertext, err = cachingCrypter.encryptSecret(prop.SecretValue(), plaintext)
} else {
ciphertext, err = enc.EncryptValue(ctx, plaintext)
}
if err != nil {
return nil, fmt.Errorf("failed to encrypt secret value: %w", err)
}
contract.AssertNoErrorf(err, "marshalling underlying secret value to JSON")
I assume the following endpoint is not accessible to readonly
permission to a stack.
addEndpoint("POST", "/api/stacks/{orgName}/{projectName}/{stackName}/encrypt", "encryptValue")
I think it should, otherwise it is not possible to run previews
in readonly
when there is a secret in the stack.
---
I assume switch to a different secret provider (gcpkms) will also solve it, since I will be able to give it encrypt permissions?
---
The other option is to change to pulumi to not encrypt what it tries to encrypt - but that would be a deeper change.lemon-agent-27707
11/10/2023, 3:32 AMmillions-train-91139
11/10/2023, 7:17 AM--save-plan
flag, when I don’t, everything works great.