https://pulumi.com logo
d

dazzling-memory-8548

06/14/2019, 5:36 PM
Hi all! I'm hoping someone could give me a quick sanity check before I file a bug report on something. I've noticed that attributes of resources that contain a secret value are not encrypted in the stack when the parent resource is exported. However, individual references to that attribute as export are encrypted. In both examples, the output is correctly masked. My expectation is that the secret never shows up in plaintext in the stack export in either case. Am I missing something?
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as docker from "@pulumi/docker";

const config = new pulumi.Config("secrets-demo");
const containerImage = config.requireSecret("containerImage");

// This exposes the secret in the stack export.
export const remoteImage = new docker.RemoteImage("myImage", {
  name: containerImage
});

const container = new docker.Container(
  "myContainer",
  {
    image: containerImage
  },
  {
    dependsOn: remoteImage
  }
);

// This correctly encrypts the secret.
export const imageName = remoteImage.name;
Sample stack contents (the secret value is
ubuntu:latest
):
Copy code
"resources": [
                {
                    "urn": "urn:pulumi:secrets-demo::secrets-demo::pulumi:pulumi:Stack::secrets-demo-secrets-demo",
                    "custom": false,
                    "type": "pulumi:pulumi:Stack",
                    "outputs": {
                        "imageName": {
                            "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
                            "ciphertext": "v1:+h6rqYSR0aiRoY1O:1UHiOwS37dSnyl8uKbzkICop1GwauKMSZ+fKxCxXNw=="
                        },
                        "remoteImage": {
                            "id": "sha256:7698f282e5242af2b9d2291458d4e425c75b25b0008c1e058d66b717b4c06fa9ubuntu:latest"
,
                            "latest": "sha256:7698f282e5242af2b9d2291458d4e425c75b25b0008c1e058d66b717b4c06fa9",
                            "name": "ubuntu:latest",
                            "urn": "urn:pulumi:secrets-demo::secrets-demo::docker:index/remoteImage:RemoteImage::myImage
"
                        }
                    }
                },
w

worried-engineer-33884

06/17/2019, 11:57 AM
cc @gentle-diamond-70147
g

gentle-diamond-70147

06/17/2019, 2:45 PM
Sounds like a bug. Can you open an issue at https://github.com/pulumi/pulumi ?
d

dazzling-memory-8548

06/17/2019, 7:01 PM
Thanks. I'll open a bug report.
w

worried-engineer-33884

06/24/2019, 3:15 PM
cc @big-piano-35669
secrets that are supposed to be encrypted are being exposed in plain text
g

gentle-diamond-70147

06/24/2019, 3:22 PM
I've escalated internally as well.
w

worried-engineer-33884

06/24/2019, 3:23 PM
👍 thanks
d

dazzling-memory-8548

06/24/2019, 3:51 PM
thanks
@bitter-oil-46081 @white-balloon-205 thanks for the quick fix on this issue!
b

bitter-oil-46081

06/26/2019, 10:25 PM
We'll cut a release today to get updated
@pulumi/pulumi
packages out there, you shouldn't need to update the CLI to get a fix.
👍 2