https://pulumi.com logo
#general
Title
# general
a

agreeable-traffic-11888

04/16/2020, 2:10 PM
Hi, I’m pulling in secrets from config as follows:
Copy code
const cfg = new pulumi.Config();
const dbUsername = cfg.requireSecret("db_username");
const dbPassword = cfg.requireSecret("db_password");
When I run
pulumi stack export --file stack.json
these details are appearing in plain text in the exported file, under an
outputs
node. Is that expected?
b

broad-dog-22463

04/16/2020, 3:28 PM
Hi @broad-dog-22463 What version of Pulumi are you using?
@agreeable-traffic-11888*
a

agreeable-traffic-11888

04/16/2020, 3:32 PM
v1.14.1 @broad-dog-22463
b

broad-dog-22463

04/16/2020, 3:33 PM
so I have the following in my pulumi app
Copy code
import * as pulumi from "@pulumi/pulumi";

const cfg = new pulumi.Config();
const dbUsername = cfg.requireSecret("db_username");
const dbPassword = cfg.requireSecret("db_password");

export const user = dbUsername;
export const pw = dbPassword;
I have the following in my Pulumi.dev.yaml
Copy code
▶ cat Pulumi.dev.yaml
config:
  secrets:db_password: MyPassword1234!
  secrets:db_username: rootUser
Copy code
▶ pulumi up --yes --skip-preview
Updating (dev):
     Type                 Name         Status
 +   pulumi:pulumi:Stack  secrets-dev  created

Outputs:
    pw  : "[secret]"
    user: "[secret]"

Resources:
    + 1 created

Duration: 3s
Copy code
{
  "version": 3,
  "deployment": {
    "manifest": {
      "time": "2020-04-16T16:35:05.141064+01:00",
      "magic": "b4c27b9ea131fefdc2090b2fd0e08de221f1d26b5f7cfbbaf74f86e1123059a7",
      "version": "v1.14.1"
    },
    "secrets_providers": {
      "type": "service",
      "state": {
        "url": "<https://api.pulumi.com>",
        "owner": "stack72",
        "project": "secrets",
        "stack": "dev"
      }
    },
    "resources": [
      {
        "urn": "urn:pulumi:dev::secrets::pulumi:pulumi:Stack::secrets-dev",
        "custom": false,
        "type": "pulumi:pulumi:Stack",
        "outputs": {
          "pw": {
            "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
            "ciphertext": "AAABAMlyCKlz16OObcTPlx8o2xsuPEsrCESVLt+S9oS9tltrN0op7hfpfh1FrLnSFQ=="
          },
          "user": {
            "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
            "ciphertext": "AAABAFRmO08aa/G7xeDWDCW9iukWzqHqWS54WoyiXfluDkutsSUEtSWz"
          }
        }
      }
    ]
  }
}
I don't see any unencrypted secrets in the outputs section
a

agreeable-traffic-11888

04/16/2020, 3:38 PM
I’ll split out a separate project and see if I can replicate there. I’m creating an rds instance, and the plaintext password is showing up in the
outputs
for that
Copy code
const cfg = new pulumi.Config();
const dbUsername = cfg.requireSecret("db_username");
const dbPassword = cfg.requireSecret("db_password");

const db = new aws.rds.Instance(c19track, {
    engine: "postgres",
    instanceClass: aws.rds.InstanceTypes.T3_Micro,
    allocatedStorage: 5,
    dbSubnetGroupName: subnetGroup.id,
    vpcSecurityGroupIds: cluster.securityGroups.map(g => g.id),
    name: "c19",
    username: dbUsername,
    password: dbPassword,
    skipFinalSnapshot: true,
});
2 Views