Hi I m pulling in secrets from config as follows ```const cf Pulumi Community #general

Hi, I’m pulling in secrets from config as follows:...

agreeable-traffic-11888

04/16/2020, 2:10 PM

Hi, I’m pulling in secrets from config as follows:

Copy code

const cfg = new pulumi.Config();
const dbUsername = cfg.requireSecret("db_username");
const dbPassword = cfg.requireSecret("db_password");

When I run

pulumi stack export --file stack.json

these details are appearing in plain text in the exported file, under an

outputs

node. Is that expected?

broad-dog-22463

04/16/2020, 3:28 PM

Hi @broad-dog-22463 What version of Pulumi are you using?

broad-dog-22463

04/16/2020, 3:31 PM

@agreeable-traffic-11888*

agreeable-traffic-11888

04/16/2020, 3:32 PM

v1.14.1 @broad-dog-22463

broad-dog-22463

04/16/2020, 3:33 PM

so I have the following in my pulumi app

broad-dog-22463

04/16/2020, 3:33 PM

Copy code

import * as pulumi from "@pulumi/pulumi";

const cfg = new pulumi.Config();
const dbUsername = cfg.requireSecret("db_username");
const dbPassword = cfg.requireSecret("db_password");

export const user = dbUsername;
export const pw = dbPassword;

broad-dog-22463

04/16/2020, 3:33 PM

I have the following in my Pulumi.dev.yaml

broad-dog-22463

04/16/2020, 3:33 PM

Copy code

▶ cat Pulumi.dev.yaml
config:
  secrets:db_password: MyPassword1234!
  secrets:db_username: rootUser

broad-dog-22463

04/16/2020, 3:35 PM

Copy code

▶ pulumi up --yes --skip-preview
Updating (dev):
     Type                 Name         Status
 +   pulumi:pulumi:Stack  secrets-dev  created

Outputs:
    pw  : "[secret]"
    user: "[secret]"

Resources:
    + 1 created

Duration: 3s

broad-dog-22463

04/16/2020, 3:35 PM

Copy code

{
  "version": 3,
  "deployment": {
    "manifest": {
      "time": "2020-04-16T16:35:05.141064+01:00",
      "magic": "b4c27b9ea131fefdc2090b2fd0e08de221f1d26b5f7cfbbaf74f86e1123059a7",
      "version": "v1.14.1"
    },
    "secrets_providers": {
      "type": "service",
      "state": {
        "url": "<https://api.pulumi.com>",
        "owner": "stack72",
        "project": "secrets",
        "stack": "dev"
      }
    },
    "resources": [
      {
        "urn": "urn:pulumi:dev::secrets::pulumi:pulumi:Stack::secrets-dev",
        "custom": false,
        "type": "pulumi:pulumi:Stack",
        "outputs": {
          "pw": {
            "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
            "ciphertext": "AAABAMlyCKlz16OObcTPlx8o2xsuPEsrCESVLt+S9oS9tltrN0op7hfpfh1FrLnSFQ=="
          },
          "user": {
            "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
            "ciphertext": "AAABAFRmO08aa/G7xeDWDCW9iukWzqHqWS54WoyiXfluDkutsSUEtSWz"
          }
        }
      }
    ]
  }
}

broad-dog-22463

04/16/2020, 3:35 PM

I don't see any unencrypted secrets in the outputs section

agreeable-traffic-11888

04/16/2020, 3:38 PM

I’ll split out a separate project and see if I can replicate there. I’m creating an rds instance, and the plaintext password is showing up in the

outputs

for that

agreeable-traffic-11888

04/16/2020, 3:40 PM

Copy code

const cfg = new pulumi.Config();
const dbUsername = cfg.requireSecret("db_username");
const dbPassword = cfg.requireSecret("db_password");

const db = new aws.rds.Instance(c19track, {
    engine: "postgres",
    instanceClass: aws.rds.InstanceTypes.T3_Micro,
    allocatedStorage: 5,
    dbSubnetGroupName: subnetGroup.id,
    vpcSecurityGroupIds: cluster.securityGroups.map(g => g.id),
    name: "c19",
    username: dbUsername,
    password: dbPassword,
    skipFinalSnapshot: true,
});

2 Views

Open in Slack

Previous Next