https://pulumi.com logo
Title
m

mammoth-train-70005

03/31/2020, 12:53 PM
The Pulumi State Case: Sadly pulumi stores properties from Azure Resources with secrets as clear text. Because of “trust no one” we tried to put the state to a restricted Azure Blob Storage (if that leaks it is our fail, we can’t prevent any leak from Pulumi). The Problem is that it seems cannot be used with the Identity of the User logged in with the
az-cli
This is kind of weird, because pulumi other wise works great with that Identity, I have to set the AZURE_STORAGE_KEY to make it work, which is not the Ideal Solution. Any Hints or Ideas?
👍 1
t

tall-librarian-49374

03/31/2020, 3:29 PM
You could encrypt those secrets with
additionalSecretOutputs
in Pulumi state and keep the state in the Pulumi backend.
c

colossal-room-15708

03/31/2020, 8:35 PM
@tall-librarian-49374 is it worth maybe creating an issue to look into supporting AAD authentication to the storage now instead of the storage key?
t

tall-librarian-49374

03/31/2020, 8:49 PM
It’s always worth opening a case with a fruitful idea
A PR is worth 5 issues though :)
c

colossal-room-15708

03/31/2020, 9:50 PM
Lol not sure if I'm that capable 😉
p

plain-tiger-79744

04/30/2020, 1:35 PM
We have the same problem. Any news?
Thinking of writing a script that uses Azure CLI to get the Storage Key and write it into the environment variable. $Env:AZURE_STORAGE_KEY = az storage account keys list --account-name $Env:AZURE_STORAGE_ACCOUNT --query "[0].value"