https://pulumi.com logo
Join Slack
Powered by
Hey, I'm having difficulty in getting secrets out ...
# general
c
Hey, I'm having difficulty in getting secrets out from my config. The secrets are listed, such as: config: deploymentnamedata namespace1: - secure: ---redacted--- I have tried the following method, but the secret is just returned as a string "secret". config = pulumi.Config() config.get_secret_object("data").apply(lambda asd: print("secret is", asd)) How can I get the secret out not encrypted?
d
Pulumi will redact secrets when printed, so you may be running into that. Try accessing the object and printing a character instead
c
Printing what character?
d
In the secret string. So 
asd["namespace1"][0]
c
That prints [secret]
But that would be replaced with the actual secret when passed to another resource initialization?
d
(sorry, misread). Yes, when passing to resources, it will have the actual value
c
Okay, so how would i add a reference to it to somewhere? That way the only reference can be inside the lambda, which isn't ideal
d
Pulumi uses something called Inputs and Outputs. The engine itself knows how to resolve references like this when constructing resource objects
c
Okay, do I get the Output object somehow similar to this? config.get_secret_object("data.namespace1")[0]
d
The way you'd use it is:
Copy code
data = config.get_secret_object("data")
resource = SomeResource(
  "name",
  ns=data["namespace1"], # or ns=data.apply(d: d["namespace1"])
))
c
the namespace1 contains a list (which now only has 1 member but more in the future). so the [0] should be there, right?
d
Yes
Oh cool, I did not know you could encrypt a list. TIL
c
So did some digging. However, I couldnt figure out how to get the config lists name "namespace1" out and the list of secrets too. I'm tring to iterate the data object such as: for namespace, secrets in data.items(): doSomething(namespace, secrets)
These Output objects are quite hard to understand since they behave differently when forced to string, compared to only passing the object as reference. Is there a way to know how it can be iterated or which fields it will have later on?
d
Outputs are generally not available when the main script runs, so you're not able to iterate on them to make new resources
c
Okay, so complex config values (lists in list etc) is not easy deal with? Could I alternatively just hash the whole thing into one string and then in code do some stuff to it
d
So you can pass the values in (or processed values) to resources, you can't process the values to determine whether a resource should be created or not. Basically, you need to know the shape of your resources ahead of time
c
Ah, that makes sense. Is there a reason for having the config hard to reach? The config should be completely decrypted and available without the future-like behavior, before the pulumi runs...
d
I'm unsure on the rationale for why secrets are Outputs. Normal config items are usable directly though
c
Okay. It might be worth it for me to ditch secrets in this case. To clarify: It is possible to process non-secret config values to determine whether to create a resource or not?
Anyway, thanks for the help ❤️
d
Yes
l
FYI for debugging purposes, you can use the 
unsecret()
function to turn off the redaction. https://www.pulumi.com/docs/reference/pkg/python/pulumi/#pulumi.Output.unsecret
Open in Slack
PreviousNext
Powered by