https://pulumi.com logo
#general
Title
# general
m

millions-train-91139

03/04/2024, 11:52 AM
General question about Provider resources. I see that it is a common choice, both in Pulumi and Terraform to save provider credentials (API keys) as provider inputs. I wonder why that is. First, it requires saving more secrets in state files - which could have not been saved there in the first place. Second, I think that different principals with same permissions should be able to run
pulumi
without worrying about state changes in providers. IMO authn/authz should not be save in IaC state. Some providers allow this (GCP, Kubernetes with GKE auth helper) but a lot do not (Datadog, LaunchDarkly, etc) What can I do about providers that save API keys in there state? Will ignoreChanges work?
f

freezing-vase-18205

03/04/2024, 1:25 PM
you can also use the credentials from the env vars. yes, this may result in having a file that you
source
to make use of it, but it doesn’t belong to the provider state I think
m

millions-train-91139

03/04/2024, 2:41 PM
Yes, I now see that the env var is being resolved from inside the provider and not resolved within the client and sent as an input, so shouldn’t be captured as input, thanks!
Will take a look at LaunchDarkly soon