https://pulumi.com logo
q

quiet-wolf-18467

09/06/2019, 3:28 PM
Hey all. Has anyone used GCP's KMS for secret storage? I'm not sure I'm configuring it correctly, as it keeps asking me for an encryption password; which I don't expect (and no provider information stored in stack yml)
w

white-balloon-205

09/06/2019, 4:15 PM
What exactly are you trying? This worked fine for me just now:
Copy code
pulumi stack init --secrets-provider="<gcpkms://projects/pulumi-development/locations/global/keyRings/luke-kms-testing/cryptoKeys/stack-key>"
And then I confirmed that all secrets were being encrypted using the specific GCP KMS key.
pulumi stack init --help
has details on configuring.
q

quiet-wolf-18467

09/06/2019, 4:16 PM
I'll asciinema my screen
I've tried with this and with stack init
pulumi version 1.0.0
Same experience with gcpkms, asks for password and then fails during stack creation due to duplicate
w

white-balloon-205

09/06/2019, 4:21 PM
Hmm - I cannot repro that at all. Even when I provide a key I don't have access to - I get a useful error:
Copy code
Sorry, could not create stack 'dev': secrets (code=NotFound): rpc error: code = NotFound desc = CryptoKey projects/pulumi-development/locations/global/keyRings/luke-kms-testing/cryptoKeys/stack not found.
You are positive that
pulumi version
is
v1.0.0
?
The only explanation I have for what you are seeing is that you are using an older version of the CLI.
q

quiet-wolf-18467

09/06/2019, 4:21 PM
Copy code
╰ pulumi version
v1.0.0
I'll try uninstalling ¯\_(ツ)_/¯
w

white-balloon-205

09/06/2019, 4:24 PM
That is very odd. I've tried in an environment where I don't have any GCP credentials at all either - and still get the useful error message above.
q

quiet-wolf-18467

09/06/2019, 4:24 PM
This is me using the Linux x64 binary from the website
I'm going to compile from source and try
w

white-balloon-205

09/06/2019, 4:30 PM
Just tried on fresh Linux machine with latest
curl -fsSL <https://get.pulumi.com> | sh
as well and similar useful error:
Copy code
Sorry, could not create stack 'dev': secrets (code=PermissionDenied): rpc error: code = PermissionDenied desc = Req
uest had insufficient authentication scopes.
q

quiet-wolf-18467

09/06/2019, 4:34 PM
Copy code
╰ ~/.pulumi/bin/pulumi new --dir abc
Please choose a template: aws-javascript             A minimal AWS JavaScript Pulumi program
This command will walk you through creating a new Pulumi project.

Enter a value or leave blank to accept the (default), and press <ENTER>.
Press ^C at any time to quit.

project name: (abc)
project description: (A minimal AWS JavaScript Pulumi program)
Created project 'abc'

stack name: (dev)
Enter your passphrase to protect config/secrets:
Re-enter your passphrase to confirm:
Sorry, could not create stack 'dev': stack 'dev' already exists
stack name: (dev) ^C
This is after installing with the curl
Something is weird
w

white-balloon-205

09/06/2019, 4:35 PM
Are you using a local backend instead of
<http://pulumi.com|pulumi.com>
backend? That's the only other variable I can imagine being different from what I tested above.
q

quiet-wolf-18467

09/06/2019, 4:35 PM
Deleting
~/.pulumi
and trying again
I'm using GCS backend
w

white-balloon-205

09/06/2019, 4:36 PM
Ahh - that might be the root of this.
q

quiet-wolf-18467

09/06/2019, 4:36 PM
Oh
Is there anything I can do to make it work?
w

white-balloon-205

09/06/2019, 4:44 PM
It looks like the cloud secrets providers are currently (I believe unintentionally) only supported with the Pulumi service backend. Could you open an issue on this and we'll look into adding support?
q

quiet-wolf-18467

09/06/2019, 4:44 PM
OK
Is it a difficult fix?
w

white-balloon-205

09/06/2019, 4:47 PM
No.
q

quiet-wolf-18467

09/06/2019, 4:47 PM
OK. I'll poke around 👍
OK. I think I found the bug
It's
if _, ok := b.(filestate.Backend); ok || secretsProvider == "passphrase" {
right?
I could change the type check to look for
localBackend
instead. Do we want ot force localBackend to only have passphrase encryption?
Compiling my potential "fix". Lets see what happens
So it's working now, but I'm not sure this is something you want upstream?
Copy code
if secretsProvider == "passphrase" {
		if _, pharseErr := newPassphraseSecretsManager(stackRef.Name(), stackConfigFile); pharseErr != nil {
			return nil, pharseErr
		}
I'll submit the PR and someone can tell me an alternate route if they want 👍