https://pulumi.com logo
Powered by
w

witty-yacht-82771

02/11/2020, 4:15 PM
I’ve been able to access stack exports, but can’t figure out how to decrypt secrets from the REST API, since I can’t find documentation for it
c

colossal-beach-47527

02/11/2020, 4:20 PM
Hey @witty-yacht-82771, if you let me know the specific use-case I can get you the specific URLs and describe the request payload data as needed. While we will publish/document our REST API, we just haven’t gotten around to it yet. Though one day we’d like to have a full Swagger spec, etc. so that you can write whatever custom integration you’d want. But for now I’m happy to assist. Let me look up the specific endpoint for decrypting secrets…
w

witty-yacht-82771

02/11/2020, 4:21 PM
Yeah, specific use case is pulling some secrets into a Docker container without needing to install the full Pulumi CLI
I was able to find the following from awhile ago in slack, which works great, just need for secrets:
curl -H "Authorization: token ${PULUMI_ACCESS_TOKEN}" <https://api.pulumi.com/api/stacks/$>{STACK}/export
c

colossal-beach-47527

02/11/2020, 4:32 PM
If you are using the Pulumi Service to manage configuration secrets, you can use our API endpoint to decrypt data from its cipher text.
Copy code
POST <https://api.pulumi.com/api/stacks/>{stack-identity}/encrypt

// EncryptValueResponse defines the response body for an encrypted value.
type EncryptValueResponse struct {
    // The encrypted value.
    Ciphertext []byte `json:“ciphertext”`
}
POST <https://api.pulumi.com/api/stacks/>{stack-identity}/decrypt

// DecryptValueRequest defines the request body for decrypting a value.
type DecryptValueRequest struct {
    // The value to decrypt.
    Ciphertext []byte `json:“ciphertext”`
}
The qualified stack identity is “{orgName}/{projectName}/{stackName}“. So since my Pulumi user account name is “chrsmith”, and the project name from 
Pulumi.yaml
is “resources”, then to decrypt the configuration secret using 
curl
the command would be:
Copy code
curl \
    -X POST \
    -H "Authorization: token $PULUMI_ACCESS_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"ciphertext":"..."}' \
    <https://api.pulumi.com/api/stacks/chrsmith/resources/demo/decrypt>
I tried to run that locally and got some weird results. It looks like it’s something related to the specific way Golang will convert the cipher text string to a 
[]byte
and then serialize that as JSON. (So perhaps when we do publish this API we’d just have it accept a more intuitive 
string
instead.) So you might need to play around with the input, etc. But that’s the underlying API endpoints for encrypting/decrypting service-managed secrets.
w

witty-yacht-82771

02/11/2020, 4:40 PM
OK thanks, I’ll play with it
I guess my other question would be whether there’s a cleaner/more standard way to do this: get lots of secret values from a remote stack into my environment
w

white-balloon-205

02/11/2020, 5:53 PM
@witty-yacht-82771 can you clarify exactly what you have in mind when you say “get lots of secret values from a remote stack into my environment”? Does 
Pulumi stack outputs -s <name> —show-secrets
do what you want?
w

witty-yacht-82771

02/12/2020, 8:10 AM
@white-balloon-205 — that’s what I’ll end up using, and that does do what I want. I was hoping to use the API in order to not have to include the Pulumi CLI dependency, but it seems not fully baked yet, so 
stack ouput
is perfect for now
Thanks for the help!
w

white-balloon-205

02/12/2020, 2:57 PM
FWIW - If you are trying to do this within your Pulumi program - you can also use 
StackReference
. I’m not sure precisely what you are referring to with “the API” here - but maybe that helps?
3 Views
Powered by