This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

09/06/2019, 9:38 AM

This message was deleted.

best-xylophone-83824

09/06/2019, 9:38 AM

https://github.com/pulumi/pulumi-gcp/issues/214

broad-dog-22463

09/06/2019, 9:39 AM

Ok, looking at it right now

broad-dog-22463

09/06/2019, 9:42 AM

@best-xylophone-83824 just to confirm, you have an env var set to point to the JSON creds file?

best-xylophone-83824

09/06/2019, 9:42 AM

hmm, just checked cloudflare provider from another stack. in stack config:

Copy code

config:
  cloudflare: my-email
  cloudflare:token:
    secure:  ABCDEFG

but in stack state file there is a

pulumi:providers:cloudflare

resource with

.token

property shown as is butt naked

best-xylophone-83824

09/06/2019, 9:43 AM

@broad-dog-22463, yes, we have GOOGLE_CREDENTIALS= with content of a GCP SA key json

broad-dog-22463

09/06/2019, 9:43 AM

broad-dog-22463

09/06/2019, 9:44 AM

let me try and recreate this

best-xylophone-83824

09/06/2019, 9:45 AM

for the reference, we also have

Copy code

gcloud auth activate-service-account --key-file <(printf '%s' "${GOOGLE_CREDENTIALS}")

but I think it is redundant and GOOGLE_CREDENTIALS is enough

broad-dog-22463

09/06/2019, 9:46 AM

so you have something like

broad-dog-22463

09/06/2019, 9:46 AM

`export GOOGLE_CREDENTIALS=`cat myfile.json``

broad-dog-22463

09/06/2019, 9:46 AM

right?

best-xylophone-83824

09/06/2019, 9:47 AM

yes

broad-dog-22463

09/06/2019, 9:48 AM

👍

broad-dog-22463

09/06/2019, 9:48 AM

ok testing now

broad-dog-22463

09/06/2019, 9:50 AM

so I have code that looks as follows

broad-dog-22463

09/06/2019, 9:50 AM

Copy code

import * as gcp from "@pulumi/gcp";

const provider = new gcp.Provider("myProvider")

// Create a GCP resource (Storage Bucket)
const bucket = new gcp.storage.Bucket("my-bucket", {}, {provider: provider});

// Export the DNS name of the bucket
export const bucketName = bucket.url;

broad-dog-22463

09/06/2019, 9:50 AM

broad-dog-22463

09/06/2019, 9:51 AM

You are indeed correct!

best-xylophone-83824

09/06/2019, 9:51 AM

yes, looks similar. if you check stack file there is a credentials field with full token unencrypted

broad-dog-22463

09/06/2019, 9:51 AM

it's right there in the stack output when you use a custom provider

broad-dog-22463

09/06/2019, 9:52 AM

mmmhhhh

broad-dog-22463

09/06/2019, 9:52 AM

trying it without the EnvVar set

best-xylophone-83824

09/06/2019, 9:52 AM

it is concealed for GCP ambient provider though, but ambient cloudflare provider reveals token too

broad-dog-22463

09/06/2019, 9:52 AM

to see if the same behaviour exists

broad-dog-22463

09/06/2019, 9:54 AM

ok it only happens on custom providers when an EnvVar for the credentials are provided

broad-dog-22463

09/06/2019, 9:54 AM

it doesn't happen when it falls back to the Google credentials in my home dir

best-xylophone-83824

09/06/2019, 10:38 AM

do you want me to open cloudflare issue too or it is a generic problem with providers?

cool-egg-852

09/06/2019, 2:01 PM

Out of curiosity, any reason you use an env var for the credentials instead of

GOOGLE_APPLICATION_CREDENTIALS

which is a path to the json instead of the contents? Or does this not actually work with the provider (haven’t tested this myself)?

best-xylophone-83824

09/06/2019, 2:05 PM

no particular reason, we pull credentials from bootstrap stack output, where all projects and all pulumi service accounts are managed. then individual pulumi stack is doing:

Copy code

GCP_PROJECT_INFO=$(pulumi stack output output --show-secrets -j --stack nakhoda/gcp-bootstrap/prod | python -c 'import json,sys; print(json.dumps(json.load(sys.stdin)["'${PULUMI_STACK#*/}'"]))')
GOOGLE_CREDENTIALS=$(python -c 'import json,sys; print(json.load(sys.stdin)["serviceAccountKey"])' <<<"$GCP_PROJECT_INFO" | base64 -d)
export GOOGLE_CREDENTIALS

cool-egg-852

09/06/2019, 2:05 PM

Ah gotcha.

Open in Slack

Previous Next