https://pulumi.com logo
Join Slack
Powered by
I just created several IAM users with Pulumi, alon...
# general
q
I just created several IAM users with Pulumi, along with access keys. The export should have been [{ username, keyId, secret }] but the 
secret
prop is missing from all the exported objects in pulumi’s output
b
looking at this right now
q
I had an 
interpolate
statement above using 
encryptedSecret
but it wasn’t being logged out
Could that do it, if the 
encryptedSecret
can only be used once?
b
can you give me a sample of what your code looks like?
(without any secret values etc)
q
sure
Copy code
export const users = (async () => {
  const ret = []

  for (const [username, props] of entries(AUTO_USERS)) {
    const key = await createUser(username, props);

    pulumi.interpolate`Access Key [${username}]: ${key.id} / ${key.encryptedSecret}`;

    ret.push({
      username,
      key: key.id,
      secret: key.encryptedSecret,
    })
  }

  return ret;
})()

async function createUser(username: string, props: object) {
  const user = new aws.iam.User(username, {
    name: username
  });

  const policy = new aws.iam.UserPolicyAttachment(`${username}-s3access`, {
    user,
    policyArn: aws.iam.AmazonS3FullAccess,
  });

  const accessKey = new aws.iam.AccessKey(`${username}-key`, {
    user: user.name,
  });

  return accessKey;
}
b
yeah 
encryptedSecret
will only be used when a PGP key is supplied
can you 
pulumi stack export
and check for 
secret
?
q
when a PGP key is supplied?
b
I have a feeling that your secret will be there in plain text
yes, in our docs we have this
Copy code
const lbAccessKey = new aws.iam.AccessKey("lb", {
    pgpKey: "keybase:some_person_that_exists",
    user: lbUser.name,
});
q
ah-ha yea I see them
I’m not using pgpKey
b
q
didn’t understand what it was for
b
yeah there's a note there
It's missing some KEY documentation actually
actually, no it's misleading
let me link you
q
lol OK so it’s not just me
b
read the note under that property
q
ohhhhh
That makes more sense
b
sorry for that 😞
q
I saw stuff with 
keybase
and wqs wondering why you’d be using a third-party tool to create AWS accounts
np
b
I would suggest removing the AccessKey and recreating
it's not good to have that in state
q
ok so I want to create a pgp keypair with openssl or keybase or whatever, and use that
b
FWIW, the keybase way is actually really nice for this 🙂
It's how I create mine
let me know if you have any issues
q
oh ok
like creating them and storing them in keybase?
online or whatnot
I was figuring we already use 1password so I’d store them there
b
oh no, what I mean is, we use the PGP key associated with Keybase to encrypt the secretKey
that way, they are not being stored in plaintext
pulumi stack output myOutputName | base64 --decode | keybase pgp decrypt
and that will decrypt it for use outside of state
q
OK
For a distributed team would you make a generic keybase account?
Like, I’m thinking a couple years down the road if I don’t work here I wouldn’t want these secret keys dependent on my keybase identity
I guess I can export a pgp key and allow anyone else using keybase to import it
2 Views
Open in Slack
PreviousNext
Powered by