https://pulumi.com logo
#aws
Title
# aws
s

salmon-ghost-86211

07/15/2020, 2:27 PM
I'm trying to create access keys, write a few fields into a new JSON object and convert it to ciphertext, then save it to S3 as a new file. Before this code I create a KMS key (myKms), and IAM user (iamUser) and have an S3 bucket object defined (myS3Bucket). If
userIamAccessKeys.id
or
userIamAccessKeys.secret
is the only
content
on the BucketObject, it writes successfully. If
encryptedKeys
ciphertext is the
content
, the text written is
[object Object]
. I can't seem to use
toJSON
or
toString
or
.apply
to build the ciphertext. How do I pull out some details from the
AccessKey
, convert it to
Ciphertext
and insert it into the
BucketObject
content
?
Copy code
const userIamAccessKeys = new aws.iam.AccessKey(
    "iam-access-key",
    { user: iamUser.name, },
    { dependsOn: iamUser }
);

const encryptedKeys = new aws.kms.Ciphertext(
    "user-encrypted-keys",
    {
        keyId: myKms.keyId,
        plaintext: `{
          "access_key": ${userIamAccessKeys.id},
          "secret_key": ${userIamAccessKeys.secret}
        }
        `
    },
    { dependsOn: userIamAccessKeys }
);

// Store the already encrypted access keys in S3
const accessKeysInS3 = new aws.s3.BucketObject(
    "access-keys-in-s3",
    {
        bucket: myS3Bucket.apply(bucket => bucket.id),
        content: encryptedKeys.toString(),
        key: "accesskeys.json.enc"
    },
    { dependsOn: [userIamAccessKeys, encryptedKeys] }
);
g

gentle-diamond-70147

07/15/2020, 3:33 PM
You don't need to do anything with
.apply
for
bucket
or
content
in your
aws.s3.BucketObject
. If you're just passing the output of one resource as the input to another resource, you can use the resource output directly. So this:
Copy code
const accessKeysInS3 = new aws.s3.BucketObject(
    "access-keys-in-s3",
    {
        bucket: myS3Bucket.apply(bucket => bucket.id),
        content: encryptedKeys.toString(),
        key: "accesskeys.json.enc"
    },
    { dependsOn: [userIamAccessKeys, encryptedKeys] }
);
can become this:
Copy code
const accessKeysInS3 = new aws.s3.BucketObject(
    "access-keys-in-s3",
    {
        bucket: myS3Bucket.bucket,
        content: encryptedKeys.ciphertextBlob,
        key: "accesskeys.json.enc"
    },
    { dependsOn: [userIamAccessKeys, encryptedKeys] }
);
But, since you are manipulating the values of your
userIamAccessKeys
you do need to create your
plaintext
input in a different way. The reason for this is because those outputs (
userIamAccessKeys.id
and
userIamAccessKeys.secret
) are not yet known until AWS assigns them you need to tell Pulumi to wait for them to become available. Using
pulumi.interpolate
is the easiest way in this case.
So your complete code should look like the attached (with some added at the top for me to test it).
If I view the bucket object after I get what looks like real ciphertext:
Copy code
% aws s3 cp s3://$(pulumi stack output bucketName)/accesskeys.json.enc -
AQICAHgynVhNR5sTVMKg1GXDsF3vTA1FT5McgyMgENLw4aITywE1avXQZYL301sbg/UnP/FlAAAA5jCB4wYJKoZIhvcNAQcGoIHVMIHSAgEAMIHMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDINNGvlWSXl4unm+hAIBEICBnmq+JUNE4DPlEhHK5c5CTH3SJ8DFwosDp/tcM6ONQ6zJBwwho7I1IFzdq6NUXiWZ5JlkNLvR8blqWll4tionhUWfOR1NM2CLWuBMRFTXux15kBPKo8l3UY+1q7jp4r0eONUFweQCdrXX/36JQf8OKOY8Ed9SgeXSSW1Tgnnw5B4AJqR1S+0hc33QAupyg0/C0fQmZwsRGE2lasvwTIw4
s

salmon-ghost-86211

07/15/2020, 3:41 PM
Thank you so much. I really appreciate your help.
👍 1