When using a secrets provider like GCP KMS for enc...
# general
When using a secrets provider like GCP KMS for encrypting and decrypting secrets, will the Pulumi stack permissions be used in addition to the permissions of the underlying provider?
Hey! I believe it uses the permissions of the underlying user invoking the Pulumi CLI. The provider isn’t aware of the secrets.
So if I try to do
pulumi stack config get secretValue --secret
and the underlying secret provider is GCP KMS, it will fail if I don’t have the proper RBAC permissions for the Pulumi stack regardless of whether my
user can access the KMS key?
I don't actually know the answer to that one /cc @white-balloon-205?
Pulumi stack RBAC defines what data you can read and write to the Pulumi service - data about projects, stacks, updates, etc. I actually do not believe any RBAC permissions are needed for
pulumi config get
as that does not need to read or write from the Pulumi service. Are you seeing errors when you try to do this?
I wasn’t, was just doing some GCP work on KMS and an engineer suggested using it as a secret provider (we use the default right now) and I was wondering how the encryption key access was going to play with Pulumi access. It sounds like they don’t overlap since in encryption and decryption happens separately from managing Pulumi resources
Or said in other words, I think you just answered my question 🙂
Follow-up. The default secrets provider will use a different encryption key per stack. Is this provider specific behavior or would Pulumi use a single KMS key for all stacks?
You configure the KMS key for each stack you initialize, so you are in control of whether you share across stacks or use unique keys per stack.
Thanks Luke!