When using ESC and 1Password is there a way to take a secret Pulumi Community #esc

When using ESC and 1Password, is there a way to ta...

gorgeous-pillow-13604

05/08/2025, 5:10 PM

When using ESC and 1Password, is there a way to take a secret and assign it to a variable to be used elsewhere? For example, I would like the example.jwk_private to resolve to the retrieved secret from 1Password.

stocky-restaurant-98004

05/08/2025, 10:36 PM

It looks like that's what you're doing. If you save the environment and click open, does it work? (You can optionally show the secrets if you need to see the literal value.)

gorgeous-pillow-13604

05/09/2025, 5:23 PM

I am getting closer, but blocked on the next step. If I have an ESC Project/Environment of

secrets/integration

with:

Copy code

values:
  1password:
    secrets:
      fn::open::1password-secrets:
        login:
          serviceAccountToken:
            fn::secret:
              ciphertext: [redacted]
        get:
          auth_jwk_private:
            ref: <op://Infrastructure/integration.auth/JWK_PRIVATE>
  secrets:
    auth.jwk_private: ${1password.secrets.auth_jwk_private}

And within ESC if I open and show secrets, it displays how I want. But back in my Pulumi.integration.yaml I just have the following:

Copy code

environment:
  - secrets/integration

But when I run

pulumi config

I get:

Copy code

KEY          VALUE
pulumi:tags  {"pulumi:template":""}
The stack's environment does not define the `environmentVariables`, `files`, or `pulumiConfig` properties.
Without at least one of these properties, the environment will not affect the stack's behavior.

Thoughts?

gorgeous-pillow-13604

05/09/2025, 5:31 PM

Oh, nevermind, I think I needed it to be (missing pulumiConifg):

Copy code

pulumiConfig:
    secrets:
      auth.jwk_private: ${1password.secrets.auth_jwk_private}

2 Views

Open in Slack

Previous Next