https://pulumi.com logo
Title
c

colossal-australia-65039

03/25/2021, 6:50 PM
I'm using S3 as my state store. Does a
StackReference.getOutput('name')
require the IAM user be able to read the entire stack state including all secrets in the state?
b

bored-oyster-3147

03/25/2021, 6:59 PM
I think stack references might require that the stacks on both sides have the same passphrase
as long as your IAM user can GetObject in the bucket you should be good on that front I think
c

colossal-australia-65039

03/25/2021, 7:11 PM
i'm concerned with a service user having permissions to read the entire state of another stack when all it needs is a couple non-secret outputs from it
b

bored-oyster-3147

03/25/2021, 8:45 PM
Unfortunately I don't think you can do partial stack references, but there might be a feature request for it though. Or you could make one
w

worried-knife-31967

03/25/2021, 8:56 PM
correct, this is a limitation... and if you think about it, it makes sense... in order for the stack reference to be able to decode the secrets from the other stack, it will need to know the passphrase of the source stack, as well as it's own. so, in essence, there would need to be a way to pass the source stack's passphrase to the StackReference
b

bored-oyster-3147

03/25/2021, 9:05 PM
could be an input on the stack reference "resource" that way you could pass it in and they could be different. And a
PublicStackReference
or something that contains only the outputs and not the secrets isn't a bad idea
1
w

worried-knife-31967

03/25/2021, 9:19 PM
sure, but right now, as you can't, that's the reason it won't be able to do it.
b

bored-oyster-3147

03/25/2021, 9:20 PM
yes, we're aware. I was talking about a feature request.
☝️ 2