Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
n
nice-eye-54931
06/03/2021, 7:32 PMWhen using
pulumi login --localb
billowy-army-68599
06/03/2021, 7:48 PMyou can set a blank passphrase:
export PULUMI_CONFIG_PASSPHRASE=""n
nice-eye-54931
06/03/2021, 7:53 PMWindows doesn't accept empty environment variables
And setting environment variables isn't a safe way to store that anyway. Why is there no option to disable it all together. I know you shouldn't do that for production environments, but in dev that's just annoying.
Especially since other programs can read out environment variables. I don't wanna be setting it each time I run pulumi and placing in my profile is a bad idea imho
b
billowy-army-68599
06/03/2021, 7:56 PMwell today I learned, I guess set it to "changeme"
We cannot turn it off, because we encrypt secrets inside the state and we need a key to encrypt it with. Generally we recommend people only use passphrase for development environments and set it to an easy to remember value. For production, we recommend a cloud secrets provider like awskms or azurekms:
https://www.pulumi.com/blog/peace-of-mind-with-cloud-secret-providers/
i understand the concern about setting the values as environment variables, but leaving secrets in plaintext is equally as unacceptable to us. the passphrase mechanism is an option for quick development iteration
n
nice-eye-54931
06/03/2021, 8:02 PMindeed, I plan to use vault for this, but on a local dev cluster that got me annoyed. Maybe something extra in the docs would help there, that would have prevented me from even trying
b
billowy-army-68599
06/03/2021, 8:02 PMwhat would like to add to the docs to make it clearer?
r
red-match-15116
06/03/2021, 8:05 PMHey Giovanni! @billowy-army-68599 is doing his best to help you. Repeatedly calling our work “annoying” is not a great way to build trust so we continue to want to help you 🙂
n
nice-eye-54931
06/03/2021, 8:07 PMI didn't call your work annoying. I said I got annoyed. I didn't want to disrespect anybody.
@billowy-army-68599 There are no real guides in the docs on using the local backend (
pulumi login --localThat got me into searching how to set an environment var to an empty value, which can't be done in Windows. So either never accept an empty value as a paraphrase in the first place or accept it and bbe able to work with it. That'd be my advice
b
billowy-army-68599
06/03/2021, 8:18 PMI've opened https://github.com/pulumi/docs/issues/6091 to track this, we do have the following links:
https://www.pulumi.com/docs/intro/concepts/state/#logging-into-the-local-filesystem-backend
but it doesn't mention the passphrase portion, so we'll try and improve this
🙌 1
n
nice-eye-54931
06/03/2021, 8:28 PMIs accepting an empty paraphrase desirable? As that would never work when later destroying the stack. That's one of the first things I tried: "Will pulumi clean everything up like terraform does when I destroy it?"
b
billowy-army-68599
06/03/2021, 8:31 PMwhat do you mean? setting a passphrase to an empty string definitely works
➕ 1
b
broad-dog-22463
06/03/2021, 8:32 PMYes this definitely works - I even added a test for this on our last release to make sure that it doesn’t regress
n
nice-eye-54931
06/03/2021, 8:49 PMWell, I did hit it just now on Windows, so either that test is not water-tight or there is a bug. Thing is, that you cannot set an empty string to an environment variable.
so the
pulumi uppulumi destroy -s <stackname>b
broad-dog-22463
06/03/2021, 9:12 PMYou should be able to use something like
Cmd /v /c “set PULUMI_CONFIG_PASSPHRASE=\”\” pulumi up” and it’ll set the env var in process
This test is currently passing for us on windows - the test where we do this is here https://github.com/pulumi/pulumi/pull/7019/files#diff-e26b69e905f24f969a12360b000fa75a1881737f03b4cf99d44585992e5b40ccR597
Always happy to update this in our docs as part of the issue Lee opened above
n
nice-eye-54931
06/03/2021, 9:30 PMhmmm, cmd...in powershell setting an empty string to an environment var deletes it:
@broad-dog-22463 adding that one-liner to the docs those who want it, might be useful, since it doesn't work in powershell. That distinction threw me off.
b
broad-dog-22463
06/03/2021, 9:49 PMThe alternative for you would be to set a file on disk that’s empty and use PULUMI_CONFIG_PASSPHRASE_FILE to point to that empty file and your shell will respect that for sure
The file must exist of course
n
nice-eye-54931
06/03/2021, 9:56 PMYep, that seems to work.
I found nothing in the docs on PULUMI_CONFIG_PASSPHRASE_FILE so I didn't try that
b
broad-dog-22463
06/03/2021, 9:59 PMThat’s a complete miss then on our part - I apologise for that and will get rectified!
n
nice-eye-54931
06/03/2021, 9:59 PM@broad-dog-22463 Tnx, that fixes my issue. I can now have local dev deployments on my cluster with having to specify a paraphrase anywhere. Perfect! Of course, in production, I will use vault (or something else) to get that value.
b
broad-dog-22463
06/03/2021, 10:01 PMThat’s great news! Glad we were able to point you in the right direction