https://pulumi.com logo
Join Slack
Powered by
:thread:pulumi + auth0 + python : warning: client_...
# getting-started
m
๐Ÿงตpulumi + auth0 + python : warning: client_secret is deprecated REPRO $ pulumi new -> auth0-python
Copy code
Reading the client secret through this attribute is deprecated and it will be removed in a future version. Migrate to the `auth0_client_credentials` resource to manage a client's secret instead or use the `auth0_client` data source to read this property.
I'm trying to manage my auth0 tenancies using pulumi. I'd prefer to not use the default client_secret as this is not as secure as using something like Auth0 
Private Key JWT.
And it seems that the error message indicates that using the client credentials is now the preferred way to do this... only I don't see any examples for how to configure this from the yaml files... This link sort of helps, but again, I just need a basic example of how to configure this from yaml: https://www.pulumi.com/registry/packages/auth0/api-docs/clientcredentials/
s
I haven't had the opportunity to use the Auth0 provider yet, but what's missing from the YAML example on the link you shared that you need?
m
The example code generator generates the yaml for the client secret:
Copy code
12:05 $ cat Pulumi.foo.yaml 
config:
  auth0:clientId:
    secure: abc...elided
  auth0:clientSecret:
    secure: abc...elided
  auth0:domain: my-cool-domain.us.auth0.com
And that is fine, if you want to use client secrets. But, as the warning indicates, this is deprecated. Which is a good thing, it's not nearly as secure as using PrivateKeyJWT (available to enterprise customers). The warning indicates this is possible... but I don't see any examples for how to wire this up. The auth0 provider expects to have these vars in the config... I guess I can go spelunk the provider code to see what it expects...
s
Oh, I see...you don't need a YAML example, you need to see how to configure things in the stack configuration file. So, the link you shared shows how to use a private key JWT, and if you want to pass in the JWT as a configuration value then you'll want to use 
config
in your Python program (I'll see if I can find an example for you) to pull that from the configuration. To get it into the configuration, you'd use 
pulumi config set <key> <value>
at the CLI after creating your stack. Does that help?
To get a PEM file into the stack configuration using 
pulumi config set
, you'd use a command like this:
Copy code
cat /path/to/pem/file | pulumi config set pemFile
m
Thank you, yes, I know how to set the pem file into the config.
What I don't see is how to configure the provider. It's going to want data structured in a certain way... the examples show how to use client secrets. I just need an example showing how to use one of these others...
s
Based on a quick perusal of the provider, it doesn't look like the provider code has been updated to use anything other than the deprecated 
client_secret
configuration value/environment variable. However, I assume (given that you filed https://github.com/pulumi/pulumi-auth0/issues/378) that you'd already come to this conclusion. I'm not aware of any workaround at this time, sorry.
m
Thanks for the help Scott. I wasn't completely sure, and I appreciate the assist.
s
NP, happy to help!
@millions-alligator-79652 We opened a PR to update the 
README
for the Auth0 provider that documents some additional configuration options for the provider. I think this should resolve the issue. Would you mind having a look and letting me know if it does take care of the issue? https://github.com/pulumi/pulumi-auth0/pull/381
m
@salmon-account-74572 Cool, I'll check that out...
@salmon-account-74572 I commented in #381, this looks great and unblocks my use case. Thank you!
s
No need to thank me, thank our outstanding engineering team! ๐Ÿ˜„ Glad you are unblocked.
m
:0)
Open in Slack
PreviousNext
Powered by