https://pulumi.com logo
Powered by
#aws
Title
s

salmon-ghost-86211

07/15/2020, 2:27 PM
I'm trying to create access keys, write a few fields into a new JSON object and convert it to ciphertext, then save it to S3 as a new file. Before this code I create a KMS key (myKms), and IAM user (iamUser) and have an S3 bucket object defined (myS3Bucket). If 
userIamAccessKeys.id
or 
userIamAccessKeys.secret
is the only 
content
on the BucketObject, it writes successfully. If 
encryptedKeys
ciphertext is the 
content
, the text written is 
[object Object]
. I can't seem to use 
toJSON
or 
toString
or 
.apply
to build the ciphertext. How do I pull out some details from the 
AccessKey
, convert it to 
Ciphertext
and insert it into the 
BucketObject
content
?
Copy code
const userIamAccessKeys = new aws.iam.AccessKey(
    "iam-access-key",
    { user: iamUser.name, },
    { dependsOn: iamUser }
);

const encryptedKeys = new aws.kms.Ciphertext(
    "user-encrypted-keys",
    {
        keyId: myKms.keyId,
        plaintext: `{
          "access_key": ${userIamAccessKeys.id},
          "secret_key": ${userIamAccessKeys.secret}
        }
        `
    },
    { dependsOn: userIamAccessKeys }
);

// Store the already encrypted access keys in S3
const accessKeysInS3 = new aws.s3.BucketObject(
    "access-keys-in-s3",
    {
        bucket: myS3Bucket.apply(bucket => bucket.id),
        content: encryptedKeys.toString(),
        key: "accesskeys.json.enc"
    },
    { dependsOn: [userIamAccessKeys, encryptedKeys] }
);
g

gentle-diamond-70147

07/15/2020, 3:33 PM
You don't need to do anything with 
.apply
for 
bucket
or 
content
in your 
aws.s3.BucketObject
. If you're just passing the output of one resource as the input to another resource, you can use the resource output directly. So this:
Copy code
const accessKeysInS3 = new aws.s3.BucketObject(
    "access-keys-in-s3",
    {
        bucket: myS3Bucket.apply(bucket => bucket.id),
        content: encryptedKeys.toString(),
        key: "accesskeys.json.enc"
    },
    { dependsOn: [userIamAccessKeys, encryptedKeys] }
);
can become this:
Copy code
const accessKeysInS3 = new aws.s3.BucketObject(
    "access-keys-in-s3",
    {
        bucket: myS3Bucket.bucket,
        content: encryptedKeys.ciphertextBlob,
        key: "accesskeys.json.enc"
    },
    { dependsOn: [userIamAccessKeys, encryptedKeys] }
);
But, since you are manipulating the values of your 
userIamAccessKeys
you do need to create your 
plaintext
input in a different way. The reason for this is because those outputs (
userIamAccessKeys.id
and 
userIamAccessKeys.secret
) are not yet known until AWS assigns them you need to tell Pulumi to wait for them to become available. Using 
pulumi.interpolate
is the easiest way in this case.
So your complete code should look like the attached (with some added at the top for me to test it).
index.ts
If I view the bucket object after I get what looks like real ciphertext:
Copy code
% aws s3 cp s3://$(pulumi stack output bucketName)/accesskeys.json.enc -
AQICAHgynVhNR5sTVMKg1GXDsF3vTA1FT5McgyMgENLw4aITywE1avXQZYL301sbg/UnP/FlAAAA5jCB4wYJKoZIhvcNAQcGoIHVMIHSAgEAMIHMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDINNGvlWSXl4unm+hAIBEICBnmq+JUNE4DPlEhHK5c5CTH3SJ8DFwosDp/tcM6ONQ6zJBwwho7I1IFzdq6NUXiWZ5JlkNLvR8blqWll4tionhUWfOR1NM2CLWuBMRFTXux15kBPKo8l3UY+1q7jp4r0eONUFweQCdrXX/36JQf8OKOY8Ed9SgeXSSW1Tgnnw5B4AJqR1S+0hc33QAupyg0/C0fQmZwsRGE2lasvwTIw4
s

salmon-ghost-86211

07/15/2020, 3:41 PM
Thank you so much. I really appreciate your help.
👍 1
Powered by