The Pulumi State Case Sadly pulumi stores properties from Az

Question

The Pulumi State Case Sadly pulumi stores properties from Azure Resources with secrets as clear text Because of trust no one we tried to put the state to a restricted Azure Blob Storage if that leaks it is our fail we can t prevent any leak from Pulumi The Problem is that it seems cannot be used with the Identity of the User logged in with the `az cli` This is kind of weird because pulumi other wise works great with that Identity I have to set the AZURE STORAGE KEY to make it work which is not the Ideal Solution Any Hints or Ideas

tall-librarian-49374 · Answer

You could encrypt those secrets with `additionalSecretOutputs` in Pulumi state and keep the state in the Pulumi backend

colossal-room-15708 · Answer

< tall librarian 49374> is it worth maybe creating an issue to look into supporting AAD authentication to the storage now instead of the storage key

tall-librarian-49374 · Answer

It s always worth opening a case with a fruitful idea

tall-librarian-49374 · Answer

A PR is worth 5 issues though

colossal-room-15708 · Answer

Lol not sure if I m that capable wink

plain-tiger-79744 · Answer

We have the same problem Any news

plain-tiger-79744 · Answer

Thinking of writing a script that uses Azure CLI to get the Storage Key and write it into the environment variable $Env AZURE STORAGE KEY = az storage account keys list account name $Env AZURE STORAGE ACCOUNT query 0 value