witty-yacht-82771
02/11/2020, 4:15 PMcolossal-beach-47527
02/11/2020, 4:20 PMwitty-yacht-82771
02/11/2020, 4:21 PMcurl -H "Authorization: token ${PULUMI_ACCESS_TOKEN}" <https://api.pulumi.com/api/stacks/$>{STACK}/export
colossal-beach-47527
02/11/2020, 4:32 PMPOST <https://api.pulumi.com/api/stacks/>{stack-identity}/encrypt
// EncryptValueResponse defines the response body for an encrypted value.
type EncryptValueResponse struct {
// The encrypted value.
Ciphertext []byte `json:“ciphertext”`
}
POST <https://api.pulumi.com/api/stacks/>{stack-identity}/decrypt
// DecryptValueRequest defines the request body for decrypting a value.
type DecryptValueRequest struct {
// The value to decrypt.
Ciphertext []byte `json:“ciphertext”`
}
The qualified stack identity is “{orgName}/{projectName}/{stackName}“.
So since my Pulumi user account name is “chrsmith”, and the project
name from Pulumi.yaml
is “resources”, then to decrypt the configuration
secret using curl
the command would be:
curl \
-X POST \
-H "Authorization: token $PULUMI_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"ciphertext":"..."}' \
<https://api.pulumi.com/api/stacks/chrsmith/resources/demo/decrypt>
[]byte
and then serialize that as JSON. (So perhaps when we do publish this API we’d just have it accept a more intuitive string
instead.)
So you might need to play around with the input, etc. But that’s the underlying API endpoints for encrypting/decrypting service-managed secrets.witty-yacht-82771
02/11/2020, 4:40 PMwhite-balloon-205
Pulumi stack outputs -s <name> —show-secrets
do what you want?witty-yacht-82771
02/12/2020, 8:10 AMstack ouput
is perfect for nowwhite-balloon-205
StackReference
. I’m not sure precisely what you are referring to with “the API” here - but maybe that helps?