https://pulumi.com logo
Title
w

wooden-vegetable-26535

10/05/2022, 7:31 AM
Hello everyone 🙂 I am currently working with the pulumi rest api to provide data to a cli script. I query
api/stacks/<org>/<project>/<stack>/export
to get a stacks output. Some of those outputs are encrypted, and i need a way to decrypt those for my script. Is there a way to decrypt the encrypted outputs of a stack/export rest api call without using the pulumi cli/sdk? Can you point me to documenation for this use case?
g

great-sunset-355

10/05/2022, 10:14 AM
Pulumi service is used as a default provider, I'm not sure you can call the service directly but what you can do is to use a different secrets provider service eg. AWS KMS / Hashi Vault and then call that https://www.pulumi.com/docs/intro/concepts/secrets/#configuring-secrets-encryption
w

wooden-vegetable-26535

10/05/2022, 11:31 AM
Yes, I had that idea too, but I dont think this would be an acceptable solution. Currently I see no way other than spawning a child process, call pulumi cli and interpret the stdout, even tough i wanted to avoid installing the pulumi cli
e

echoing-dinner-19531

10/05/2022, 11:32 AM
I keep asking the service team for an openapi spec of the service to point people to, would make these questions easier. There is a decrypt endpoint you can hit, gimme a minute I'll go dig it out.
❤️ 1
POST to
api/{organization}/{project}/{stack}/decrypt
with an object with one field
ciphertext
which is the base64 encoding of the bytes of the secret
👍 1
w

wooden-vegetable-26535

10/05/2022, 12:02 PM
thank you!
The URL results in 404 😞
e

echoing-dinner-19531

10/05/2022, 1:32 PM
hmm I'm pretty sure that's the right url, https://github.com/pulumi/pulumi/blob/master/pkg/backend/httpstate/client/client.go#L410 It might be because you don't have the correct auth token set, or did a GET instead of POST?
oh wait! silly me I missed a part of the url
api/stacks/{organization}/{project}/{stack}/decrypt
🙌 1
Sorry about that
w

wooden-vegetable-26535

10/05/2022, 1:33 PM
ah!
e

echoing-dinner-19531

10/05/2022, 1:33 PM
This is why we need an openapi spec 😆
w

wooden-vegetable-26535

10/05/2022, 1:33 PM
thank you
ok, i receive some value now 🙂