Channels
#general
Title
q
quiet-wolf-18467
09/06/2019, 3:28 PM
Hey all. Has anyone used GCP's KMS for secret storage? I'm not sure I'm configuring it correctly, as it keeps asking me for an encryption password; which I don't expect (and no provider information stored in stack yml)
w
white-balloon-205
09/06/2019, 4:15 PM
What exactly are you trying?
This worked fine for me just now:
Copy code
pulumi stack init --secrets-provider="<gcpkms://projects/pulumi-development/locations/global/keyRings/luke-kms-testing/cryptoKeys/stack-key>"pulumi stack init --helpq
quiet-wolf-18467
09/06/2019, 4:16 PM
I'll asciinema my screen
I've tried with this and with stack init
pulumi version 1.0.0
Same experience with gcpkms, asks for password and then fails during stack creation due to duplicate
w
white-balloon-205
09/06/2019, 4:21 PM
Hmm - I cannot repro that at all. Even when I provide a key I don't have access to - I get a useful error:
Copy code
Sorry, could not create stack 'dev': secrets (code=NotFound): rpc error: code = NotFound desc = CryptoKey projects/pulumi-development/locations/global/keyRings/luke-kms-testing/cryptoKeys/stack not found.pulumi versionv1.0.0The only explanation I have for what you are seeing is that you are using an older version of the CLI.
q
quiet-wolf-18467
09/06/2019, 4:21 PM
Copy code
╰ pulumi version
v1.0.0I'll try uninstalling ¯\_(ツ)_/¯
w
white-balloon-205
09/06/2019, 4:24 PM
That is very odd. I've tried in an environment where I don't have any GCP credentials at all either - and still get the useful error message above.
q
quiet-wolf-18467
09/06/2019, 4:24 PM
This is me using the Linux x64 binary from the website
I'm going to compile from source and try
w
white-balloon-205
09/06/2019, 4:30 PM
Just tried on fresh Linux machine with latest
curl -fsSL <https://get.pulumi.com> | sh Copy code
Sorry, could not create stack 'dev': secrets (code=PermissionDenied): rpc error: code = PermissionDenied desc = Req
uest had insufficient authentication scopes.q
quiet-wolf-18467
09/06/2019, 4:34 PM
Copy code
╰ ~/.pulumi/bin/pulumi new --dir abc
Please choose a template: aws-javascript A minimal AWS JavaScript Pulumi program
This command will walk you through creating a new Pulumi project.
Enter a value or leave blank to accept the (default), and press <ENTER>.
Press ^C at any time to quit.
project name: (abc)
project description: (A minimal AWS JavaScript Pulumi program)
Created project 'abc'
stack name: (dev)
Enter your passphrase to protect config/secrets:
Re-enter your passphrase to confirm:
Sorry, could not create stack 'dev': stack 'dev' already exists
stack name: (dev) ^CThis is after installing with the curl
Something is weird
w
white-balloon-205
09/06/2019, 4:35 PM
Are you using a local backend instead of
<http://pulumi.com|pulumi.com>q
quiet-wolf-18467
09/06/2019, 4:35 PM
Deleting
~/.pulumiI'm using GCS backend
w
white-balloon-205
09/06/2019, 4:36 PM
Ahh - that might be the root of this.
q
quiet-wolf-18467
09/06/2019, 4:36 PM
Oh
Is there anything I can do to make it work?
w
white-balloon-205
09/06/2019, 4:44 PM
It looks like the cloud secrets providers are currently (I believe unintentionally) only supported with the Pulumi service backend. Could you open an issue on this and we'll look into adding support?
q
quiet-wolf-18467
09/06/2019, 4:44 PM
OK
Is it a difficult fix?
w
white-balloon-205
09/06/2019, 4:47 PM
No.
q
quiet-wolf-18467
09/06/2019, 4:47 PM
OK. I'll poke around 👍
OK. I think I found the bug
It's
if _, ok := b.(filestate.Backend); ok || secretsProvider == "passphrase" {right?
I could change the type check to look for
localBackendCompiling my potential "fix". Lets see what happens
So it's working now, but I'm not sure this is something you want upstream?
Copy code
if secretsProvider == "passphrase" {
if _, pharseErr := newPassphraseSecretsManager(stackRef.Name(), stackConfigFile); pharseErr != nil {
return nil, pharseErr
}I'll submit the PR and someone can tell me an alternate route if they want 👍