Hey all. Has anyone used GCP's KMS for secret stor...
# general
Hey all. Has anyone used GCP's KMS for secret storage? I'm not sure I'm configuring it correctly, as it keeps asking me for an encryption password; which I don't expect (and no provider information stored in stack yml)
What exactly are you trying? This worked fine for me just now:
Copy code
pulumi stack init --secrets-provider="<gcpkms://projects/pulumi-development/locations/global/keyRings/luke-kms-testing/cryptoKeys/stack-key>"
And then I confirmed that all secrets were being encrypted using the specific GCP KMS key.
pulumi stack init --help
has details on configuring.
I'll asciinema my screen
I've tried with this and with stack init
pulumi version 1.0.0
Same experience with gcpkms, asks for password and then fails during stack creation due to duplicate
Hmm - I cannot repro that at all. Even when I provide a key I don't have access to - I get a useful error:
Copy code
Sorry, could not create stack 'dev': secrets (code=NotFound): rpc error: code = NotFound desc = CryptoKey projects/pulumi-development/locations/global/keyRings/luke-kms-testing/cryptoKeys/stack not found.
You are positive that
pulumi version
The only explanation I have for what you are seeing is that you are using an older version of the CLI.
Copy code
╰ pulumi version
I'll try uninstalling ¯\_(ツ)_/¯
That is very odd. I've tried in an environment where I don't have any GCP credentials at all either - and still get the useful error message above.
This is me using the Linux x64 binary from the website
I'm going to compile from source and try
Just tried on fresh Linux machine with latest
curl -fsSL <https://get.pulumi.com> | sh
as well and similar useful error:
Copy code
Sorry, could not create stack 'dev': secrets (code=PermissionDenied): rpc error: code = PermissionDenied desc = Req
uest had insufficient authentication scopes.
Copy code
╰ ~/.pulumi/bin/pulumi new --dir abc
Please choose a template: aws-javascript             A minimal AWS JavaScript Pulumi program
This command will walk you through creating a new Pulumi project.

Enter a value or leave blank to accept the (default), and press <ENTER>.
Press ^C at any time to quit.

project name: (abc)
project description: (A minimal AWS JavaScript Pulumi program)
Created project 'abc'

stack name: (dev)
Enter your passphrase to protect config/secrets:
Re-enter your passphrase to confirm:
Sorry, could not create stack 'dev': stack 'dev' already exists
stack name: (dev) ^C
This is after installing with the curl
Something is weird
Are you using a local backend instead of
backend? That's the only other variable I can imagine being different from what I tested above.
and trying again
I'm using GCS backend
Ahh - that might be the root of this.
Is there anything I can do to make it work?
It looks like the cloud secrets providers are currently (I believe unintentionally) only supported with the Pulumi service backend. Could you open an issue on this and we'll look into adding support?
Is it a difficult fix?
OK. I'll poke around 👍
OK. I think I found the bug
if _, ok := b.(filestate.Backend); ok || secretsProvider == "passphrase" {
I could change the type check to look for
instead. Do we want ot force localBackend to only have passphrase encryption?
Compiling my potential "fix". Lets see what happens
So it's working now, but I'm not sure this is something you want upstream?
Copy code
if secretsProvider == "passphrase" {
		if _, pharseErr := newPassphraseSecretsManager(stackRef.Name(), stackConfigFile); pharseErr != nil {
			return nil, pharseErr
I'll submit the PR and someone can tell me an alternate route if they want 👍