https://pulumi.com logo
Title
d

damp-honey-93158

08/23/2022, 11:25 AM
Hi Pulumiers... just in case I'm missing something here - is it possible to decrypt a config value using the Pulumi Service REST API? I can get the stack, and the last update/state for the stack - and my goal (for some tests I'm writing) is to be able to use the service to decrypt a config value. Context helps: this is a unit test, and I want to validate that something has been done in the underlying service, the PAT for that service is encrypted in the config.
e

echoing-dinner-19531

08/23/2022, 1:02 PM
You can. api.pulumi.com/api/{org}/{project}/{stack}/decrypt , POST to that endpoint with a JSON object with one field "ciphertext" which has the base64 ciphertext to decrypt.
I'm hoping to get an openapi spec written up for the whole service to make things like this more discoverable
d

damp-honey-93158

08/23/2022, 1:03 PM
and that would make by wrapper/api stuff obsolete (which would be GREAT).
thank you! I'll try this out ...
so I know - is this documented somewhere?
e

echoing-dinner-19531

08/23/2022, 1:09 PM
no it's not documented anywhere right now (unless you count code as docs, in which case https://github.com/pulumi/pulumi/blob/master/pkg/backend/httpstate/client/client.go#L405-L413)
d

damp-honey-93158

08/23/2022, 1:36 PM
@echoing-dinner-19531 VERY good link - that helped me find my bug! The url is api.pulumi.com/api/stacks/{org}/{project}/{stack}/decrypt - thanks a bunch for the info - I'd not have found that on my own 🙂
e

echoing-dinner-19531

08/23/2022, 1:37 PM
ah yes sorry, forgot about the /stacks part
will all be much easier with an openapi spec 🙂
🎉 1
d

damp-honey-93158

08/24/2022, 3:30 PM
I'm trying that with a stack that has it's own encryption provider (key vault in this case); is it expected that the REST call will work in this case as well?
e

echoing-dinner-19531

08/24/2022, 7:31 PM
Nope, the SASS only deals with service encryption/decryption. If you want stack config decrypted from another secrets provider you'll need to query that provider (or just use
pulumi config get)