Hi Pulumiers... just in case I'm missing something...
# general
d
Hi Pulumiers... just in case I'm missing something here - is it possible to decrypt a config value using the Pulumi Service REST API? I can get the stack, and the last update/state for the stack - and my goal (for some tests I'm writing) is to be able to use the service to decrypt a config value. Context helps: this is a unit test, and I want to validate that something has been done in the underlying service, the PAT for that service is encrypted in the config.
e
You can. api.pulumi.com/api/{org}/{project}/{stack}/decrypt , POST to that endpoint with a JSON object with one field "ciphertext" which has the base64 ciphertext to decrypt.
I'm hoping to get an openapi spec written up for the whole service to make things like this more discoverable
d
and that would make by wrapper/api stuff obsolete (which would be GREAT).
thank you! I'll try this out ...
so I know - is this documented somewhere?
e
no it's not documented anywhere right now (unless you count code as docs, in which case https://github.com/pulumi/pulumi/blob/master/pkg/backend/httpstate/client/client.go#L405-L413)
d
@echoing-dinner-19531 VERY good link - that helped me find my bug! The url is api.pulumi.com/api/stacks/{org}/{project}/{stack}/decrypt - thanks a bunch for the info - I'd not have found that on my own 🙂
e
ah yes sorry, forgot about the /stacks part
will all be much easier with an openapi spec 🙂
🎉 1
d
I'm trying that with a stack that has it's own encryption provider (key vault in this case); is it expected that the REST call will work in this case as well?
e
Nope, the SASS only deals with service encryption/decryption. If you want stack config decrypted from another secrets provider you'll need to query that provider (or just use
pulumi config get)