This message was deleted.

sparse-intern-71089

03/05/2021, 5:10 PM

This message was deleted.

clever-cartoon-41433

03/05/2021, 6:18 PM

There is the additionalSecretOutputs option if you're trying to make sure pulumi handles part of a resource as "secret".

colossal-australia-65039

03/05/2021, 6:51 PM

For the pulumi/eks Cluster resource, the kubeConfig output is not automatically marked as a secret. Am I supposed to have to mark it as a secret explicitly or is that a bug in the API? But my main issue is that even accessing non-secret outputs require the passphrase. It's a security risk to be passing the passphrase around to every stack that only needs a "storageclassname" output for example

ancient-megabyte-79588

03/08/2021, 4:24 AM

Generally speaking, outputs are not secret unless you use

pulumi.secret()

or they are something

pulumi

alread knows about like a password or a kubeconfig file

ancient-megabyte-79588

03/08/2021, 4:25 AM

You should not need the passphrase to be present to access non-secrets config output. That feels like something is amiss.

colossal-australia-65039

03/09/2021, 1:37 AM

well i didn't figure out why I (thought I) was running into that odd behavior, but I changed my secret manager from passphrase to AWS KMS and it's working fine. Thanks for confirming that it shouldn't happen Dave

👍 1

4 Views

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.