This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

02/11/2020, 4:15 PM

This message was deleted.

colossal-beach-47527

02/11/2020, 4:20 PM

Hey @witty-yacht-82771, if you let me know the specific use-case I can get you the specific URLs and describe the request payload data as needed. While we will publish/document our REST API, we just haven’t gotten around to it yet. Though one day we’d like to have a full Swagger spec, etc. so that you can write whatever custom integration you’d want. But for now I’m happy to assist. Let me look up the specific endpoint for decrypting secrets…

witty-yacht-82771

02/11/2020, 4:21 PM

Yeah, specific use case is pulling some secrets into a Docker container without needing to install the full Pulumi CLI

witty-yacht-82771

02/11/2020, 4:22 PM

I was able to find the following from awhile ago in slack, which works great, just need for secrets:

witty-yacht-82771

02/11/2020, 4:22 PM

curl -H "Authorization: token ${PULUMI_ACCESS_TOKEN}" <https://api.pulumi.com/api/stacks/$>{STACK}/export

colossal-beach-47527

02/11/2020, 4:32 PM

If you are using the Pulumi Service to manage configuration secrets, you can use our API endpoint to decrypt data from its cipher text.

Copy code

POST <https://api.pulumi.com/api/stacks/>{stack-identity}/encrypt

// EncryptValueResponse defines the response body for an encrypted value.
type EncryptValueResponse struct {
    // The encrypted value.
    Ciphertext []byte `json:“ciphertext”`
}
POST <https://api.pulumi.com/api/stacks/>{stack-identity}/decrypt

// DecryptValueRequest defines the request body for decrypting a value.
type DecryptValueRequest struct {
    // The value to decrypt.
    Ciphertext []byte `json:“ciphertext”`
}

The qualified stack identity is “{orgName}/{projectName}/{stackName}“. So since my Pulumi user account name is “chrsmith”, and the project name from

Pulumi.yaml

is “resources”, then to decrypt the configuration secret using

curl

the command would be:

Copy code

curl \
    -X POST \
    -H "Authorization: token $PULUMI_ACCESS_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"ciphertext":"..."}' \
    <https://api.pulumi.com/api/stacks/chrsmith/resources/demo/decrypt>

colossal-beach-47527

02/11/2020, 4:33 PM

I tried to run that locally and got some weird results. It looks like it’s something related to the specific way Golang will convert the cipher text string to a

[]byte

and then serialize that as JSON. (So perhaps when we do publish this API we’d just have it accept a more intuitive

string

instead.) So you might need to play around with the input, etc. But that’s the underlying API endpoints for encrypting/decrypting service-managed secrets.

witty-yacht-82771

02/11/2020, 4:40 PM

OK thanks, I’ll play with it

witty-yacht-82771

02/11/2020, 4:49 PM

I guess my other question would be whether there’s a cleaner/more standard way to do this: get lots of secret values from a remote stack into my environment

white-balloon-205

02/11/2020, 5:53 PM

@witty-yacht-82771 can you clarify exactly what you have in mind when you say “get lots of secret values from a remote stack into my environment”? Does

Pulumi stack outputs -s <name> —show-secrets

do what you want?

witty-yacht-82771

02/12/2020, 8:10 AM

@white-balloon-205 — that’s what I’ll end up using, and that does do what I want. I was hoping to use the API in order to not have to include the Pulumi CLI dependency, but it seems not fully baked yet, so

stack ouput

is perfect for now

witty-yacht-82771

02/12/2020, 8:10 AM

Thanks for the help!

white-balloon-205

02/12/2020, 2:57 PM

FWIW - If you are trying to do this within your Pulumi program - you can also use

StackReference

. I’m not sure precisely what you are referring to with “the API” here - but maybe that helps?

5 Views

Open in Slack

Previous Next