https://pulumi.com logo
#getting-started
Title
# getting-started
m

millions-alligator-79652

12/15/2023, 7:48 PM
๐Ÿงตpulumi + auth0 + python : warning: client_secret is deprecated REPRO $ pulumi new -> auth0-python
Copy code
Reading the client secret through this attribute is deprecated and it will be removed in a future version. Migrate to the `auth0_client_credentials` resource to manage a client's secret instead or use the `auth0_client` data source to read this property.
I'm trying to manage my auth0 tenancies using pulumi. I'd prefer to not use the default client_secret as this is not as secure as using something like Auth0
Private Key JWT.
And it seems that the error message indicates that using the client credentials is now the preferred way to do this... only I don't see any examples for how to configure this from the yaml files... This link sort of helps, but again, I just need a basic example of how to configure this from yaml: https://www.pulumi.com/registry/packages/auth0/api-docs/clientcredentials/
s

salmon-account-74572

12/15/2023, 8:04 PM
I haven't had the opportunity to use the Auth0 provider yet, but what's missing from the YAML example on the link you shared that you need?
m

millions-alligator-79652

12/15/2023, 8:05 PM
The example code generator generates the yaml for the client secret:
Copy code
12:05 $ cat Pulumi.foo.yaml 
config:
  auth0:clientId:
    secure: abc...elided
  auth0:clientSecret:
    secure: abc...elided
  auth0:domain: my-cool-domain.us.auth0.com
And that is fine, if you want to use client secrets. But, as the warning indicates, this is deprecated. Which is a good thing, it's not nearly as secure as using PrivateKeyJWT (available to enterprise customers). The warning indicates this is possible... but I don't see any examples for how to wire this up. The auth0 provider expects to have these vars in the config... I guess I can go spelunk the provider code to see what it expects...
s

salmon-account-74572

12/15/2023, 8:11 PM
Oh, I see...you don't need a YAML example, you need to see how to configure things in the stack configuration file. So, the link you shared shows how to use a private key JWT, and if you want to pass in the JWT as a configuration value then you'll want to use
config
in your Python program (I'll see if I can find an example for you) to pull that from the configuration. To get it into the configuration, you'd use
pulumi config set <key> <value>
at the CLI after creating your stack. Does that help?
To get a PEM file into the stack configuration using
pulumi config set
, you'd use a command like this:
Copy code
cat /path/to/pem/file | pulumi config set pemFile
m

millions-alligator-79652

12/15/2023, 8:15 PM
Thank you, yes, I know how to set the pem file into the config.
What I don't see is how to configure the provider. It's going to want data structured in a certain way... the examples show how to use client secrets. I just need an example showing how to use one of these others...
s

salmon-account-74572

12/15/2023, 8:27 PM
Based on a quick perusal of the provider, it doesn't look like the provider code has been updated to use anything other than the deprecated
client_secret
configuration value/environment variable. However, I assume (given that you filed https://github.com/pulumi/pulumi-auth0/issues/378) that you'd already come to this conclusion. I'm not aware of any workaround at this time, sorry.
m

millions-alligator-79652

12/15/2023, 8:28 PM
Thanks for the help Scott. I wasn't completely sure, and I appreciate the assist.
s

salmon-account-74572

12/15/2023, 8:30 PM
NP, happy to help!
@millions-alligator-79652 We opened a PR to update the
README
for the Auth0 provider that documents some additional configuration options for the provider. I think this should resolve the issue. Would you mind having a look and letting me know if it does take care of the issue? https://github.com/pulumi/pulumi-auth0/pull/381
m

millions-alligator-79652

12/19/2023, 6:39 PM
@salmon-account-74572 Cool, I'll check that out...
@salmon-account-74572 I commented in #381, this looks great and unblocks my use case. Thank you!
s

salmon-account-74572

12/19/2023, 8:19 PM
No need to thank me, thank our outstanding engineering team! ๐Ÿ˜„ Glad you are unblocked.
m

millions-alligator-79652

12/19/2023, 9:06 PM
:0)