https://pulumi.com logo
k

kind-mechanic-53546

05/19/2020, 7:23 AM
I have a secret that I need to pass as a build arg to a
docker.Image
but I cannot get it to pass it decrypted Definition:
_export_ const sec = pulumiConfig.requireSecret("secKey");
I've tried
pulumi.all([sec]).apply(([secString])  => { return { ARG_NAME: secString }; });
and
{ ARG_NAME: sec.apply(v=>v) }
Neither of these works, the value is always either
[secret]
or
Calling [toString] on an [Output<T>] is not supported.\n\nTo get the value of an Output...
For what it's worth,
pulumi.all
works fine on a secret imported from another stack using a StackReference
f

future-barista-68134

05/19/2020, 2:05 PM
Can you share the code for the docker image? (redacting any potentially sensitive information of course 🙂) Want to get a better idea of how you have it setup. Without seeing the code, I’d suggest trying this:
Copy code
const buildArgs = sec.apply( secret => {
    return {
        args: { 
            ARG_NAME: secret 
        }
    }
});

const dockerImage = new docker.Image("name", {
    imageName: "image-name",
    build: buildArgs
});
_Note_: Inside of an 
apply
 or 
all
 , your secret will be decrypted for use within the callback in plaintext. It is up to your program to treat this value sensitively and only pass the value to code that you trust.
k

kind-mechanic-53546

05/19/2020, 10:09 PM
@future-barista-68134, cleaned up code
Copy code
const pulumiConfig = new pulumi.Config();

const sec = pulumiConfig.requireSecret("secKey");
const sec2 = pulumiConfig.requireSecret("sec2Key");

const buildArgs = pulumi.all([sec, sec2]).apply(([secVal, sec2Val]) => {
  return {
    ARG1: secVal,
    ARG2: sec2Val,
  };
});

const imageName = "spark-dotnet";
const imageVersion = "v1beta-0.0.1-spark-2.4.5";
const image = new docker.Image(imageName, {
  imageName: pulumi.interpolate`${k8sInfraStack.k8sRegistryLoginServer}/${imageName}:${imageVersion}`,
  build: {
    context: `./spark-dotnet-docker`,
    args: buildArgs,
  },
  registry: {
    server: k8sInfraStack.k8sRegistryLoginServer,
    username: k8sInfraStack.k8sRegistryUsername,
    password: k8sInfraStack.k8sRegistryPassword,
  },
});
f

future-barista-68134

05/19/2020, 11:26 PM
Great, that looks like it should work.. does it?
k

kind-mechanic-53546

05/20/2020, 4:26 AM
No, doesn't work 😞
it's actually slightly different sorry
Copy code
const buildArgs = pulumi.all([sec, sec2]).apply(([secVal, sec2Val]) => {
  return {
    ARG1: `https:<mailto://${secVal}@org.visualstudio.com|//${secVal}@org.visualstudio.com>`,
results in
fatal: could not read Password for 'https://[secret]@org.visualstudio.com': No such device or address
in my case, sec is a Azure DevOps PAT
f

future-barista-68134

05/20/2020, 12:44 PM
This seems like it could be a bug, can you create an issue here: https://github.com/pulumi/pulumi/issues One last thing to try:
Copy code
const buildArgs = pulumi.all([sec, sec2]).apply(([secVal, sec2Val]) => {
  return {
    context: `./spark-dotnet-docker`,
    args: {
        ARG1: secVal,
        ARG2: sec2Val
    }
  }
});

const imageName = "spark-dotnet";
const imageVersion = "v1beta-0.0.1-spark-2.4.5";
const image = new docker.Image(imageName, {
  imageName: pulumi.interpolate`${k8sInfraStack.k8sRegistryLoginServer}/${imageName}:${imageVersion}`,
  build: buildArgs,
  registry: {
    server: k8sInfraStack.k8sRegistryLoginServer,
    username: k8sInfraStack.k8sRegistryUsername,
    password: k8sInfraStack.k8sRegistryPassword,
  },
});
If I have time I’ll try and reproduce this myself…
k

kind-mechanic-53546

05/20/2020, 10:58 PM
Thanks @future-barista-68134, I tried that model, same result, issue 4675 created
👍 1