https://pulumi.com logo
p

prehistoric-account-60014

04/07/2020, 4:16 PM
When using a secrets provider like GCP KMS for encrypting and decrypting secrets, will the Pulumi stack permissions be used in addition to the permissions of the underlying provider?
b

billowy-army-68599

04/07/2020, 4:45 PM
Hey! I believe it uses the permissions of the underlying user invoking the Pulumi CLI. The provider isn’t aware of the secrets.
p

prehistoric-account-60014

04/07/2020, 4:47 PM
So if I try to do
pulumi stack config get secretValue --secret
and the underlying secret provider is GCP KMS, it will fail if I don’t have the proper RBAC permissions for the Pulumi stack regardless of whether my
gcloud
user can access the KMS key?
b

billowy-army-68599

04/07/2020, 5:14 PM
I don't actually know the answer to that one /cc @white-balloon-205?
w

white-balloon-205

04/07/2020, 8:53 PM
Pulumi stack RBAC defines what data you can read and write to the Pulumi service - data about projects, stacks, updates, etc. I actually do not believe any RBAC permissions are needed for
pulumi config get
as that does not need to read or write from the Pulumi service. Are you seeing errors when you try to do this?
p

prehistoric-account-60014

04/07/2020, 8:55 PM
I wasn’t, was just doing some GCP work on KMS and an engineer suggested using it as a secret provider (we use the default right now) and I was wondering how the encryption key access was going to play with Pulumi access. It sounds like they don’t overlap since in encryption and decryption happens separately from managing Pulumi resources
Or said in other words, I think you just answered my question 🙂
Follow-up. The default secrets provider will use a different encryption key per stack. Is this provider specific behavior or would Pulumi use a single KMS key for all stacks?
w

white-balloon-205

04/07/2020, 9:02 PM
You configure the KMS key for each stack you initialize, so you are in control of whether you share across stacks or use unique keys per stack.
p

prehistoric-account-60014

04/07/2020, 10:15 PM
Perfect
Thanks Luke!