How do I use a service account in a CI/CD pipeline? Set up a Pulumi user for this purpose?That's right, create credentials for a service account and then expose those as secrets in your CI/CD. You can run under any credentials you want to use, and those credentials will not leave the CI machine.
Does it support dependency on another stack? Or how can you reference resources/objects from other stacks?Today you can loosely couple stacks by exporting from one stack and then setting those values as Pulumi config on the other. This is a little manual, and we are looking at options to allow one stack to directly look up outputs of another in a slightly more coupled way to make this really simple.
ETA on PKI encryption? Use case, I provide a public key to Pulumi to encrypt the secrets for our stacks rather than Pulumi encrypting those secret config items.It's top of mind, if it's blocking your ability to use Pulumi in the near term we can definitely prioritize. There's some discussion related to this on https://github.com/pulumi/pulumi/issues/1867.
orange-tailor-8542310/25/2018, 11:49 PM
inside the CI environment to interact with GCP.
2. You will also need a Pulumi Access Token for an account in Pulumi with priveleges to update your stack. You can get this for your user at https://app.pulumi.com/account/tokens. We've seen folks create "Bot" users within their organizations as a way to assign these access keys to a neutral account whose rights can be managed independently.
glamorous-printer-6654810/26/2018, 8:27 AM
echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc && npm ci
echo $GCP_SERVICE_ACCOUNT_KEY | gcloud auth activate-service-account --project my-gcp-project --key-file=-
gcloud auth configure-docker