https://pulumi.com logo
Powered by
e

enough-baker-16813

02/19/2020, 3:50 PM
Has anyone managed to use Pulumi for the new GCP secret manager? I am having 403 issues creating secrets. I am able to create resources in the same Pulumi stack, so I am authenticated in Pulumi. Creating secrets with curl works fine, so I have permissions. If I compare the request sent by Pulumi and the curl command line, I see that the headers 'authorization' and 'x-goog-user-project' are missing. I'll put details in thread. I don't know how to debug the problem from here, so pointers would be welcome.
From pulumi log with --debug and TF_LOG=TRACE:
Copy code
debug: Google API Request Details:
    debug: ---[ REQUEST ]---------------------------------------
    debug: incoming output value translated:  -> 
    debug: POST /v1beta1/projects/my-project-88b03ea/secrets?alt=json&secretId=my-secret-name HTTP/1.1
    debug: incoming output property translated: id -> id
    debug: Host: <http://secretmanager.googleapis.com|secretmanager.googleapis.com>
    debug: User-Agent: HashiCorp Terraform/0.11+compatible (+<https://www.terraform.io>) Terraform Plugin SDK/1.4.0 terraform-provider-google-beta/dev
    debug: incoming output value translated: projects/my-project -> projects/my-project
    debug: Content-Length: 33
    debug: Content-Type: application/json
    debug: incoming output property translated: number -> number
    debug: Accept-Encoding: gzip
    debug: 
    debug: incoming output value translated: 608582423015 -> 608582423015
    debug: {
    debug: incoming output property translated: labels -> labels
    debug:  "replication": {
    debug:   "automatic": {}
    debug: incoming output value translated: {} -> {}
    debug: incoming output property translated: projectId -> project_id
    debug:  }
    debug: }
    debug: incoming output value translated: my-project -> my-project
Working curl command:
Copy code
> curl "<https://secretmanager.googleapis.com/v1beta1/projects/my-project-88b03ea/secrets?secretId=test-secret>" --request "POST"  --header "authorization: Bearer $(gcloud auth print-access-token)"  --header "content-type: application/json" --header "x-goog-user-project: my-project-88b03ea" --data "{\"replication\": {\"automatic\": {}}}"
Powered by