Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
a
agreeable-ram-97887
04/19/2021, 11:22 AMHow does one decrypt the “.encryped_password” output of a UserLoginProfile resource? 🤔
b
broad-dog-22463
04/19/2021, 11:24 AMHi @agreeable-ram-97887 what did you pass into it to create it? PGP or keybase?
you should be able to do something like:
pulumi stack output myPropertyName | base64 --decode | keybase pgp decrypta
agreeable-ram-97887
04/19/2021, 11:26 AMAt the moment, keybase (although Im not stuck on it). For the moment I manually created an asymmetric key on AWS and just plugged it in to pulumi, and it seemed to work 🤷 (but tbh, im a bit out of my depth)
i’ll try your suggestion, and get back. Thank you 🙂
I guess I have to make an account with keybase? This seems a bit weird, since I made the asynmmetrric key on aws and I would assume that I should be able to access the functionality I need through the aws cli (e.g.
aws kms decrypt ...but maybe Im missing something?
or maybe, to turn the question around. All I am looking for is the ability to give certain users login access to the aws console by setting an initial password in my pulumi stack. What would be the suggested way to do this?
b
broad-dog-22463
04/19/2021, 11:53 AMyou don't need to use keybae
you can use a gpg key
but you need to provider one or the other
the resource under the hood uses it
a
agreeable-ram-97887
04/19/2021, 12:15 PMI’ve tried grabbing the public key from the AWS console and pasting it in “pgp_key” (see below), but then I see errors such as:
Error encrypting Password: error parsing given PGP key: openpgp: invalid data: tag byte does not have MSB setThis is with both pasting the key directly, as well as base64 encoding it first (like the docs suggest):
echo "RAW-KEY" | base64but I guess I’m still doing something wrong 🤔
btw, I’v assumed that I should use AWS KMS to generate an asymmetric key to do this encryption but, tbh, that was a total guess on my end 🤷. At the moment I’ve done this manually, but my ultimate goal is to have all components provisioned within the pulumi script.
Should I instead be using something else? for example ec2.KeyPair?
b
broad-dog-22463
04/19/2021, 12:26 PMwait, you are trying to create an SSH Key? This resource is for a user's login to the AWS console
a
agreeable-ram-97887
04/19/2021, 12:27 PMwait, you are trying to create an SSH Key?Not necessarily, all I would like to do is create the LoginProfile resource, and be able to pass the default password on to the user
b
broad-dog-22463
04/19/2021, 12:28 PMok, so if you want to do that then the provider requires you to use a PGP Key to encrypt the password
a
agreeable-ram-97887
04/19/2021, 12:29 PMwhich I can generate as an asymetric key using AWS KMS?
Or do I need to use some other service to get a PGP key?
b
broad-dog-22463
04/19/2021, 12:58 PMI've not tried it using an AWS KMS key tbh
a
agreeable-ram-97887
04/19/2021, 1:11 PMI see 😕 . Maybe you could suggest to me how you would do it? Or maybe you know a good tutorial to go off of?