☕ Morning everyone. Is it possible to determine if a value is a secret at runtime? I'm using a structured configuration and eventually looping through all the <JsonElement>s and pushing these to AWS Parameter Store. Everything works, other than when looping through I don't know which values are secrets or not, as I'd like to push them to the parameter store as "SecureString" if possible. I'm using C# if that comes in to play.

Yes. There is an

isSecret

method you can use. Let me just grab the link

Awesome. I honestly did try searching before asking, I promise.

https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/pulumi/#isSecret for nodejs... I think it's something like

.isSecretAsync()

for .net

Thanks!

btw for .net it is static on

Output.IsSecretAsync(...)

@bored-oyster-3147 @brave-planet-10645 Ok, I'm struggling a bit. Since I'm pulling this out of the config as a JsonElement all my values are JsonElements/strings.

JsonElement data = config.RequireObject<JsonElement>("Settings");

Looping through the JsonElements I want, if I Console.WriteLine, it knows its a secret and outputs accordingly.

Console.WriteLine(JsonSerializer.Serialize(data, new JsonSerializerOptions { WriteIndented = true }));

{
        "Region": "us-east-1",
        "SecretKey": "[secret]",
        "User": "service-worker"
}

But I'm struggling to use the Output.IsSecretAsync passing in a string or JsonElement. I tried creating a new Pulumi.Output.Create with the value, but still returns False.

var val = Pulumi.Output.Create(item.Value);
                var isSecret = Task.Run(async () => await Output.IsSecretAsync(val));
                var isSecret2 = await Output.IsSecretAsync(val);                
                Console.WriteLine($"IsSecret: {isSecret.Result}");
                Console.WriteLine($"IsSecret: {isSecret2}");

I'm noobing something up here but I've gone cross eyed.

oh my bad I goofed. I don't know if

Output.IsSecretAsync

is correct for this because this is coming from config so isn't an output?

Correct

Don't you need to know if it's a secret ahead of time? Like it's the difference between using

config.RequireObject<T>

and

config.RequireSecretObject<T>

?

I'm pulling in a whole constructed config chunk as:

config.RequireObject<JsonElement>("Settings");

But when you do that I don't think pulumi is aware of anything inside that object. You're just getting the raw

JsonElement

I think. You might need to manually check if the property has the

{ "secret": { ... } }

shape inside the

JsonElement

When I loop through the tree and Console.Writeline it definitely prints everything but the secrets. It prints them as [secret]

yes that's because you did

RequireObject

which pulumi is not using your passphrase to deserialize so it just has the plaintext

[secret]

for those values

It pushes the correct value to the parameter store though, the unecrypted value of the secret

what is the type at the time that you pass it to the parameter store?

Name = name,
 Value = item.Value.ToString()

JsonElement.Value.ToString()

Then I confess that at the moment I have no idea how that is functioning. I would have to do some digging

I piped it into an Stack Output variable too after I created it as a new Output<string> and it had the decrypted value there as well

So I'm honestly not sure how the

JsonElement.Value.ToString()

is doing any kind of decryption but I guess that's not super relevant to your issue. To get back to your issue, it looks like internally the

Deployment

instance keeps a hash set of all of the fully qualified configuration keys that are secrets and uses this method to check that collection. It doesn't appear that this is exposed any where that I have been able to find, so maybe we could open an issue to expose something like that on the

Config

object

Is that something you'd like me to do?

I'm just a contributor 🙂 @brave-planet-10645 might have another idea but that is what I would do

Gotcha

Let me catch up with the thread

Going to step out to lunch, but I'll check back

So JsonElement is in

System.Text.Json

so Pulumi is just converting the secret config value and passing through as

[secret]

Ya, because it definitely knows its a secret specifically somehow. I get the correct value as stackoutput and in AWS, and its

[secret]

like you mention if I write it out. Below is the full code I'm using to pull it out of the config, flatten the hierarchy, and write it to console. Later on I loop through the settings collection to add each key/value to AWS parameter store. Everything works perfect, other than I'd like to recognize the secrets and add them to parameter store as SecureString.

public AppConfig()
        {
            var config = new Pulumi.Config("Application");
            JsonElement data = config.RequireObject<JsonElement>("Settings");  
            
            SettingsCollection = GetFlat(data.ToString());            

            Console.WriteLine("*************************************");
            Console.WriteLine(JsonSerializer.Serialize(SettingsCollection, new JsonSerializerOptions { WriteIndented = true }));
            Console.WriteLine("*************************************");          
        }

        public static Dictionary<string, JsonElement> GetFlat(string? json)
        {
            if (json == null) return new Dictionary<string, JsonElement>();

            IEnumerable<(string Path, JsonProperty P)> GetLeaves(string? path, JsonProperty p)
                => p.Value.ValueKind != JsonValueKind.Object
                    ? new[] { (Path: path == null ? p.Name : path + "/" + p.Name, p) }
                    : p.Value.EnumerateObject().SelectMany(child => GetLeaves(path == null ? p.Name : path + "/" + p.Name, child));

            using (JsonDocument document = JsonDocument.Parse(json)) 
                return document.RootElement.EnumerateObject()
                    .SelectMany(p => GetLeaves(null, p))
                    .ToDictionary(k => k.Path, v => v.P.Value.Clone()); //Clone so that we can use the values outside of using
        }

Example config with pulumi CLI created structured secret

config:
  Application:Settings:
    AppSettings:
      AllowedLoginAttempts: 4
      CaptchaInfo:
        CaptchaKey: FAKEKEYasdfasdfasdf
        CaptchaSecret:
          secure: REMOVEDojiijfjio32ji23jfj0f3093j923j09

Code for the looping and ssm creation:

foreach (var item in appConfig.SettingsCollection)
            {
                string name = $"/{prefix}/{item.Key}";
                new Ssm.Parameter(name, new Ssm.ParameterArgs
                {
                    Name = name,
                    Value = item.Value.ToString() ?? "[ERROR] config entry null",
                    Type = "String",
                    DataType = "text"
                });
            }

So you need to do

config.RequireSecretObject()

I'm still confused about how his use case is getting the decrypted values at all. I would expect it to be plaintext

[secret]

especially after seeing his

GetFlat(...)

function since he's just getting that nested

JsonElement

and doing

JsonElement.Value.ToString()

So it seems like he just needs to do

RequireSecretObject<JsonElement>()

but not so that his pulumi program functions (cause it does currently) just so that the secrets are decrypted early for the purpose of his string usage

Ya, I wasn't sure how that was going to change anything either. : /

No you won't get that information. It decrypts them all. So you have two choices here. You could either split the config model up into two and have "secret" and a "not-secret" sections, or raise an feature request here and describe what you're looking for

Roger.

Thank you