https://pulumi.com logo
Join Slack
Powered by
When using `pulumi login --local` , is there a way...
# general
n
When using 
pulumi login --local
, is there a way to skip/disable this paraphrase thing? There is absolutely no point in using it as there is no way it can ever be secure setting it as an env variable?
b
you can set a blank passphrase:
Copy code
export PULUMI_CONFIG_PASSPHRASE=""
but you need to set some value for it so that we can encrypt stack secrets
n
Windows doesn't accept empty environment variables
And setting environment variables isn't a safe way to store that anyway. Why is there no option to disable it all together. I know you shouldn't do that for production environments, but in dev that's just annoying.
Especially since other programs can read out environment variables. I don't wanna be setting it each time I run pulumi and placing in my profile is a bad idea imho
b
well today I learned, I guess set it to "changeme" We cannot turn it off, because we encrypt secrets inside the state and we need a key to encrypt it with. Generally we recommend people only use passphrase for development environments and set it to an easy to remember value. For production, we recommend a cloud secrets provider like awskms or azurekms: https://www.pulumi.com/blog/peace-of-mind-with-cloud-secret-providers/
i understand the concern about setting the values as environment variables, but leaving secrets in plaintext is equally as unacceptable to us. the passphrase mechanism is an option for quick development iteration
n
indeed, I plan to use vault for this, but on a local dev cluster that got me annoyed. Maybe something extra in the docs would help there, that would have prevented me from even trying
b
what would like to add to the docs to make it clearer?
r
Hey Giovanni! @billowy-army-68599 is doing his best to help you. Repeatedly calling our work “annoying” is not a great way to build trust so we continue to want to help you 🙂
n
I didn't call your work annoying. I said I got annoyed. I didn't want to disrespect anybody.
@billowy-army-68599 There are no real guides in the docs on using the local backend (
pulumi login --local
) and what the consequences and the best practices to follow there. No information on how to use the PULUMI_CONFIG_PASSPHRASE_FILE. I had to restart 7 times, deleting my .pulumi folder (once I know where it was) because I tried setting the paraphrase to an empty value (like ssh perfectly accepts), which it happily accepted, but then refusing to destroy the stack.
That got me into searching how to set an environment var to an empty value, which can't be done in Windows. So either never accept an empty value as a paraphrase in the first place or accept it and bbe able to work with it. That'd be my advice
b
I've opened https://github.com/pulumi/docs/issues/6091 to track this, we do have the following links: https://www.pulumi.com/docs/intro/concepts/state/#logging-into-the-local-filesystem-backend but it doesn't mention the passphrase portion, so we'll try and improve this
🙌 1
n
Is accepting an empty paraphrase desirable? As that would never work when later destroying the stack. That's one of the first things I tried: "Will pulumi clean everything up like terraform does when I destroy it?"
b
what do you mean? setting a passphrase to an empty string definitely works
1
b
Yes this definitely works - I even added a test for this on our last release to make sure that it doesn’t regress
n
Well, I did hit it just now on Windows, so either that test is not water-tight or there is a bug. Thing is, that you cannot set an empty string to an environment variable.
so the 
pulumi up
works, but then a 
pulumi destroy -s <stackname>
fails, saying it can't find the env variable as there isn't any
b
You should be able to use something like Cmd /v /c “set PULUMI_CONFIG_PASSPHRASE=\”\” pulumi up” and it’ll set the env var in process This test is currently passing for us on windows - the test where we do this is here https://github.com/pulumi/pulumi/pull/7019/files#diff-e26b69e905f24f969a12360b000fa75a1881737f03b4cf99d44585992e5b40ccR597
Always happy to update this in our docs as part of the issue Lee opened above
n
hmmm, cmd...in powershell setting an empty string to an environment var deletes it:
@broad-dog-22463 adding that one-liner to the docs those who want it, might be useful, since it doesn't work in powershell. That distinction threw me off.
b
The alternative for you would be to set a file on disk that’s empty and use PULUMI_CONFIG_PASSPHRASE_FILE to point to that empty file and your shell will respect that for sure
The file must exist of course
n
Yep, that seems to work.
I found nothing in the docs on PULUMI_CONFIG_PASSPHRASE_FILE so I didn't try that
b
That’s a complete miss then on our part - I apologise for that and will get rectified!
n
@broad-dog-22463 Tnx, that fixes my issue. I can now have local dev deployments on my cluster with having to specify a paraphrase anywhere. Perfect! Of course, in production, I will use vault (or something else) to get that value.
b
That’s great news! Glad we were able to point you in the right direction
13 Views
Open in Slack
PreviousNext
Powered by