https://pulumi.com logo
Title
a

agreeable-ram-97887

04/19/2021, 11:22 AM
How does one decrypt the “.encryped_password” output of a UserLoginProfile resource? 🤔
b

broad-dog-22463

04/19/2021, 11:24 AM
Hi @agreeable-ram-97887 what did you pass into it to create it? PGP or keybase?
you should be able to do something like:
pulumi stack output myPropertyName | base64 --decode | keybase pgp decrypt
a

agreeable-ram-97887

04/19/2021, 11:26 AM
At the moment, keybase (although Im not stuck on it). For the moment I manually created an asymmetric key on AWS and just plugged it in to pulumi, and it seemed to work 🤷 (but tbh, im a bit out of my depth)
i’ll try your suggestion, and get back. Thank you 🙂
I guess I have to make an account with keybase? This seems a bit weird, since I made the asynmmetrric key on aws and I would assume that I should be able to access the functionality I need through the aws cli (e.g.
aws kms decrypt ...
)
but maybe Im missing something?
or maybe, to turn the question around. All I am looking for is the ability to give certain users login access to the aws console by setting an initial password in my pulumi stack. What would be the suggested way to do this?
b

broad-dog-22463

04/19/2021, 11:53 AM
you don't need to use keybae
you can use a gpg key
but you need to provider one or the other
the resource under the hood uses it
a

agreeable-ram-97887

04/19/2021, 12:15 PM
I’ve tried grabbing the public key from the AWS console and pasting it in “pgp_key” (see below), but then I see errors such as:
Error encrypting Password: error parsing given PGP key: openpgp: invalid data: tag byte does not have MSB set
This is with both pasting the key directly, as well as base64 encoding it first (like the docs suggest):
echo "RAW-KEY" |  base64
but I guess I’m still doing something wrong 🤔
btw, I’v assumed that I should use AWS KMS to generate an asymmetric key to do this encryption but, tbh, that was a total guess on my end 🤷. At the moment I’ve done this manually, but my ultimate goal is to have all components provisioned within the pulumi script. Should I instead be using something else? for example ec2.KeyPair?
b

broad-dog-22463

04/19/2021, 12:26 PM
wait, you are trying to create an SSH Key? This resource is for a user's login to the AWS console
a

agreeable-ram-97887

04/19/2021, 12:27 PM
wait, you are trying to create an SSH Key?
Not necessarily, all I would like to do is create the LoginProfile resource, and be able to pass the default password on to the user
b

broad-dog-22463

04/19/2021, 12:28 PM
ok, so if you want to do that then the provider requires you to use a PGP Key to encrypt the password
a

agreeable-ram-97887

04/19/2021, 12:29 PM
which I can generate as an asymetric key using AWS KMS?
Or do I need to use some other service to get a PGP key?
b

broad-dog-22463

04/19/2021, 12:58 PM
I've not tried it using an AWS KMS key tbh
a

agreeable-ram-97887

04/19/2021, 1:11 PM
I see 😕 . Maybe you could suggest to me how you would do it? Or maybe you know a good tutorial to go off of?