https://pulumi.com logo
Join Slack
Powered by
`pulumi up` shows secure outputs in plain text, is...
# general
e
pulumi up
shows secure outputs in plain text, is it a known issue? I am using pulumi random:
Copy code
import * as random from "@pulumi/random";
...
const redisPassword = new random.RandomPassword("redis", {
  length: 10,
  special: false
});

export const redisStgPassword = redisPassword.result;
Per docs, pulumi should display at as`[secret]` : https://www.pulumi.com/docs/intro/concepts/programming-model/#stack-outputs and https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/random/#RandomPassword while in my case it displays it in plaintext every invocation of 
pulumi up
or 
pulumi stack output
I am using pulumi 1.8.1 and random 1.4.0
w
Right now - you need to specifiy 
additionalSecretOutputs
to ensure outputs are secret (unless they were also inputs which were provided a secret value). https://github.com/pulumi/pulumi-terraform-bridge/issues/10 will make it so that this additional annotation is not required, and "Sensitive" outputs from upstream providers will automatically be marked as secret.
e
thanks @white-balloon-205 !
@white-balloon-205, this worked well for 
random.RandomPassword
and 
tls.PrivateKey
(which are from terraform modules), but didn't work for k8s.Secret. Any idea? Code:
Copy code
const vaultAuthAccount = new k8s.core.v1.ServiceAccount(
...

// read from created account token secret
export const vaultAuthToken64 = k8s.core.v1.Secret.get(
  "vault-auth-token",
  pulumi.interpolate`${vaultAuthAccount.metadata.namespace}/${vaultAuthAccount.secrets[0].name}`,
  {
      additionalSecretOutputs: ["data"]
  }
).data.apply(d => (d as { token: string }).token);
looks like static method 
get
of https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/kubernetes/core/v1/#Secret does not honor this option
mb there is some way to create secure 
Output
from non-secure 
Output
? I could use this as w/a.
w
Hmm - that doesn't sound right. Could you open an issue with a report of that? (
get
not respecting this option).
e
sure
w
mb there is some way to create secure 
Output
from non-secure 
Output
?
Yeah - 
pulumi.secret(output)
should work.
e
thanks !
Open in Slack
PreviousNext
Powered by