https://pulumi.com logo
Powered by
q

quick-action-34599

09/17/2019, 3:10 PM
I just created several IAM users with Pulumi, along with access keys. The export should have been [{ username, keyId, secret }] but the 
secret
prop is missing from all the exported objects in pulumi’s output
b

broad-dog-22463

09/17/2019, 3:12 PM
looking at this right now
q

quick-action-34599

09/17/2019, 3:12 PM
I had an 
interpolate
statement above using 
encryptedSecret
but it wasn’t being logged out
Could that do it, if the 
encryptedSecret
can only be used once?
b

broad-dog-22463

09/17/2019, 3:12 PM
can you give me a sample of what your code looks like?
(without any secret values etc)
q

quick-action-34599

09/17/2019, 3:13 PM
sure
Copy code
export const users = (async () => {
  const ret = []

  for (const [username, props] of entries(AUTO_USERS)) {
    const key = await createUser(username, props);

    pulumi.interpolate`Access Key [${username}]: ${key.id} / ${key.encryptedSecret}`;

    ret.push({
      username,
      key: key.id,
      secret: key.encryptedSecret,
    })
  }

  return ret;
})()

async function createUser(username: string, props: object) {
  const user = new aws.iam.User(username, {
    name: username
  });

  const policy = new aws.iam.UserPolicyAttachment(`${username}-s3access`, {
    user,
    policyArn: aws.iam.AmazonS3FullAccess,
  });

  const accessKey = new aws.iam.AccessKey(`${username}-key`, {
    user: user.name,
  });

  return accessKey;
}
b

broad-dog-22463

09/17/2019, 3:13 PM
yeah 
encryptedSecret
will only be used when a PGP key is supplied
can you 
pulumi stack export
and check for 
secret
?
q

quick-action-34599

09/17/2019, 3:14 PM
when a PGP key is supplied?
b

broad-dog-22463

09/17/2019, 3:14 PM
I have a feeling that your secret will be there in plain text
yes, in our docs we have this
Copy code
const lbAccessKey = new aws.iam.AccessKey("lb", {
    pgpKey: "keybase:some_person_that_exists",
    user: lbUser.name,
});
q

quick-action-34599

09/17/2019, 3:14 PM
ah-ha yea I see them
I’m not using pgpKey
b

broad-dog-22463

09/17/2019, 3:14 PM
q

quick-action-34599

09/17/2019, 3:14 PM
didn’t understand what it was for
b

broad-dog-22463

09/17/2019, 3:14 PM
yeah there's a note there
It's missing some KEY documentation actually
actually, no it's misleading
let me link you
q

quick-action-34599

09/17/2019, 3:15 PM
lol OK so it’s not just me
b

broad-dog-22463

09/17/2019, 3:15 PM
read the note under that property
q

quick-action-34599

09/17/2019, 3:16 PM
ohhhhh
That makes more sense
b

broad-dog-22463

09/17/2019, 3:16 PM
sorry for that 😞
q

quick-action-34599

09/17/2019, 3:16 PM
I saw stuff with 
keybase
and wqs wondering why you’d be using a third-party tool to create AWS accounts
np
b

broad-dog-22463

09/17/2019, 3:16 PM
I would suggest removing the AccessKey and recreating
it's not good to have that in state
q

quick-action-34599

09/17/2019, 3:17 PM
ok so I want to create a pgp keypair with openssl or keybase or whatever, and use that
b

broad-dog-22463

09/17/2019, 3:18 PM
FWIW, the keybase way is actually really nice for this 🙂
It's how I create mine
let me know if you have any issues
q

quick-action-34599

09/17/2019, 3:20 PM
oh ok
like creating them and storing them in keybase?
online or whatnot
I was figuring we already use 1password so I’d store them there
b

broad-dog-22463

09/17/2019, 3:22 PM
oh no, what I mean is, we use the PGP key associated with Keybase to encrypt the secretKey
that way, they are not being stored in plaintext
pulumi stack output myOutputName | base64 --decode | keybase pgp decrypt
and that will decrypt it for use outside of state
q

quick-action-34599

09/17/2019, 3:25 PM
OK
For a distributed team would you make a generic keybase account?
Like, I’m thinking a couple years down the road if I don’t work here I wouldn’t want these secret keys dependent on my keybase identity
I guess I can export a pgp key and allow anyone else using keybase to import it
2 Views
Powered by