https://pulumi.com logo
Join Slack
Powered by
I have a secret that I need to pass as a build arg...
# general
k
I have a secret that I need to pass as a build arg to a 
docker.Image
but I cannot get it to pass it decrypted Definition: 
_export_ const sec = pulumiConfig.requireSecret("secKey");
I've tried 
pulumi.all([sec]).apply(([secString])  => { return { ARG_NAME: secString }; });
and 
{ ARG_NAME: sec.apply(v=>v) }
Neither of these works, the value is always either 
[secret]
or 
Calling [toString] on an [Output<T>] is not supported.\n\nTo get the value of an Output...
For what it's worth, 
pulumi.all
works fine on a secret imported from another stack using a StackReference
f
Can you share the code for the docker image? (redacting any potentially sensitive information of course 🙂) Want to get a better idea of how you have it setup. Without seeing the code, I’d suggest trying this:
Copy code
const buildArgs = sec.apply( secret => {
    return {
        args: { 
            ARG_NAME: secret 
        }
    }
});

const dockerImage = new docker.Image("name", {
    imageName: "image-name",
    build: buildArgs
});
_Note_: Inside of an 
apply
 or 
all
 , your secret will be decrypted for use within the callback in plaintext. It is up to your program to treat this value sensitively and only pass the value to code that you trust.
k
@future-barista-68134, cleaned up code
Copy code
const pulumiConfig = new pulumi.Config();

const sec = pulumiConfig.requireSecret("secKey");
const sec2 = pulumiConfig.requireSecret("sec2Key");

const buildArgs = pulumi.all([sec, sec2]).apply(([secVal, sec2Val]) => {
  return {
    ARG1: secVal,
    ARG2: sec2Val,
  };
});

const imageName = "spark-dotnet";
const imageVersion = "v1beta-0.0.1-spark-2.4.5";
const image = new docker.Image(imageName, {
  imageName: pulumi.interpolate`${k8sInfraStack.k8sRegistryLoginServer}/${imageName}:${imageVersion}`,
  build: {
    context: `./spark-dotnet-docker`,
    args: buildArgs,
  },
  registry: {
    server: k8sInfraStack.k8sRegistryLoginServer,
    username: k8sInfraStack.k8sRegistryUsername,
    password: k8sInfraStack.k8sRegistryPassword,
  },
});
f
Great, that looks like it should work.. does it?
k
No, doesn't work 😞
it's actually slightly different sorry
Copy code
const buildArgs = pulumi.all([sec, sec2]).apply(([secVal, sec2Val]) => {
  return {
    ARG1: `https:<mailto://${secVal}@org.visualstudio.com|//${secVal}@org.visualstudio.com>`,
results in 
fatal: could not read Password for 'https://[secret]@org.visualstudio.com': No such device or address
in my case, sec is a Azure DevOps PAT
f
This seems like it could be a bug, can you create an issue here: https://github.com/pulumi/pulumi/issues One last thing to try:
Copy code
const buildArgs = pulumi.all([sec, sec2]).apply(([secVal, sec2Val]) => {
  return {
    context: `./spark-dotnet-docker`,
    args: {
        ARG1: secVal,
        ARG2: sec2Val
    }
  }
});

const imageName = "spark-dotnet";
const imageVersion = "v1beta-0.0.1-spark-2.4.5";
const image = new docker.Image(imageName, {
  imageName: pulumi.interpolate`${k8sInfraStack.k8sRegistryLoginServer}/${imageName}:${imageVersion}`,
  build: buildArgs,
  registry: {
    server: k8sInfraStack.k8sRegistryLoginServer,
    username: k8sInfraStack.k8sRegistryUsername,
    password: k8sInfraStack.k8sRegistryPassword,
  },
});
If I have time I’ll try and reproduce this myself…
k
Thanks @future-barista-68134, I tried that model, same result, issue 4675 created
👍 1
29 Views
Open in Slack
PreviousNext
Powered by