https://pulumi.com logo
#general
Title
# general
b

best-xylophone-83824

09/06/2019, 9:38 AM
I dont know if it is GCP specific as we dont use other providers, but
new gcp.Provider("name", {project: "another-project"})
leaks ambient provider credentials into stack unencrypted
b

broad-dog-22463

09/06/2019, 9:39 AM
Ok, looking at it right now
@best-xylophone-83824 just to confirm, you have an env var set to point to the JSON creds file?
b

best-xylophone-83824

09/06/2019, 9:42 AM
hmm, just checked cloudflare provider from another stack. in stack config:
Copy code
config:
  cloudflare: my-email
  cloudflare:token:
    secure:  ABCDEFG
but in stack state file there is a
pulumi:providers:cloudflare
resource with
.token
property shown as is butt naked
@broad-dog-22463, yes, we have GOOGLE_CREDENTIALS= with content of a GCP SA key json
b

broad-dog-22463

09/06/2019, 9:43 AM
ok
let me try and recreate this
b

best-xylophone-83824

09/06/2019, 9:45 AM
for the reference, we also have
Copy code
gcloud auth activate-service-account --key-file <(printf '%s' "${GOOGLE_CREDENTIALS}")
but I think it is redundant and GOOGLE_CREDENTIALS is enough
b

broad-dog-22463

09/06/2019, 9:46 AM
so you have something like
`export GOOGLE_CREDENTIALS=`cat myfile.json``
right?
b

best-xylophone-83824

09/06/2019, 9:47 AM
yes
b

broad-dog-22463

09/06/2019, 9:48 AM
👍
ok testing now
so I have code that looks as follows
Copy code
import * as gcp from "@pulumi/gcp";

const provider = new gcp.Provider("myProvider")

// Create a GCP resource (Storage Bucket)
const bucket = new gcp.storage.Bucket("my-bucket", {}, {provider: provider});

// Export the DNS name of the bucket
export const bucketName = bucket.url;
ok
You are indeed correct!
b

best-xylophone-83824

09/06/2019, 9:51 AM
yes, looks similar. if you check stack file there is a credentials field with full token unencrypted
b

broad-dog-22463

09/06/2019, 9:51 AM
it's right there in the stack output when you use a custom provider
mmmhhhh
trying it without the EnvVar set
b

best-xylophone-83824

09/06/2019, 9:52 AM
it is concealed for GCP ambient provider though, but ambient cloudflare provider reveals token too
b

broad-dog-22463

09/06/2019, 9:52 AM
to see if the same behaviour exists
ok it only happens on custom providers when an EnvVar for the credentials are provided
it doesn't happen when it falls back to the Google credentials in my home dir
b

best-xylophone-83824

09/06/2019, 10:38 AM
do you want me to open cloudflare issue too or it is a generic problem with providers?
c

cool-egg-852

09/06/2019, 2:01 PM
Out of curiosity, any reason you use an env var for the credentials instead of
GOOGLE_APPLICATION_CREDENTIALS
which is a path to the json instead of the contents? Or does this not actually work with the provider (haven’t tested this myself)?
b

best-xylophone-83824

09/06/2019, 2:05 PM
no particular reason, we pull credentials from bootstrap stack output, where all projects and all pulumi service accounts are managed. then individual pulumi stack is doing:
Copy code
GCP_PROJECT_INFO=$(pulumi stack output output --show-secrets -j --stack nakhoda/gcp-bootstrap/prod | python -c 'import json,sys; print(json.dumps(json.load(sys.stdin)["'${PULUMI_STACK#*/}'"]))')
GOOGLE_CREDENTIALS=$(python -c 'import json,sys; print(json.load(sys.stdin)["serviceAccountKey"])' <<<"$GCP_PROJECT_INFO" | base64 -d)
export GOOGLE_CREDENTIALS
c

cool-egg-852

09/06/2019, 2:05 PM
Ah gotcha.