Channels
#general
Title
p
purple-train-14007
09/28/2021, 4:14 PMAnyone know how Im supposed to set these config passphrases? I am setting them to blank because we dont use pulumis secrets manager but rather have our own security internally that handles protecting our stacks. I looked at the feedback in the github repo and have tried all the things others have tried. Since none of this is working and since this basically stops me from updating my environment I put a note on the chocolatey repo about this issue and that they may run into it. This breaks customers just an FYI
b
billowy-army-68599
09/28/2021, 4:24 PM
Hi @purple-train-14007 - is this a new issue? or has this just started happening?
p
purple-train-14007
09/28/2021, 4:26 PMThis happened to me earlier this week when I went to update my code but looking at your repo this is an ongoing issue and they keep getting closed but none of the newer versions of Pulumi are "fixing" it for me
b
billowy-army-68599
09/28/2021, 4:27 PM
can you link to some of the issues? we have lots of people setting this without issue on windows
p
purple-train-14007
09/28/2021, 4:27 PMI can see you guys merged this as a workaround
b
billowy-army-68599
09/28/2021, 4:29 PM
if you dump your env vars, do you see it set?
p
purple-train-14007
09/28/2021, 4:29 PMbut for some reason setting this variable doesnt work in powershell. I tried
$env:PULUMI_CONFIG_PASSPHRASE = ""
and
$PULUMI_CONFIG_PASSPHRASE = ""
Copy code
PUBLIC C:\Users\Public
PULUMI_CONFIG_PASSPHRASE test
PyCharm Community Edition C:\Program Files\JetBrains\PyCharm Community Edition 2020.2.3\bin;Is there another way besides setting this variable?
maybe a way to get pulumi to prompt for passphrase again will work?
b
billowy-army-68599
09/28/2021, 4:37 PM
@broad-dog-22463 any ideas?
s
steep-toddler-94095
09/28/2021, 4:39 PMit looks like the env var didn't work for you but have you tried
PULUMI_CONFIG_PASSPHRASE_FILEp
purple-train-14007
09/28/2021, 4:40 PMI have, no dice
s
steep-toddler-94095
09/28/2021, 4:41 PMwhat about this?
pulumi stack --stack SEA change-secrets-provider passphrasep
purple-train-14007
09/28/2021, 4:51 PMSame error
I had tried that earlier today as well but retried just now ^
b
billowy-army-68599
09/28/2021, 4:53 PM
can you please file an issue in pulumi/pulumi for this? I haven't seen this before on a windows machine up to now
b
broad-dog-22463
09/28/2021, 4:55 PM@purple-train-14007 is this definitely a stack that has no passphrase?
b
billowy-army-68599
09/28/2021, 4:55 PM
it looks like the issue here is windows not supporting empty environment variables...
b
broad-dog-22463
09/28/2021, 4:56 PMI wonder if ....
PULUMI_CONFIG_PASSPHRASE=" "notice the empty space not ""
b
billowy-army-68599
09/28/2021, 4:57 PM
you can also add a reg key
https://stackoverflow.com/a/38851495/645002
p
purple-train-14007
09/28/2021, 4:58 PMAh yeah I added the space since it wouldnt keep the env var when I was setting it this morning
lemme try adding the regkey
b
billowy-army-68599
09/28/2021, 5:00 PM
this does seem to be a limitation of windows, rather than a pulumi issue. Would it be possible to keep the var as "test" like it is when you dump your values?
Copy code
$env:PULUMI_CONFIG_PASSPHRASE = "empty"s
steep-toddler-94095
09/28/2021, 5:00 PMif it were just a limitation on windows wouldn't an empty passphrase file work? but topher said it didn't
b
billowy-army-68599
09/28/2021, 5:01 PM
that should work yes, but you'd need to set it to value with an empty file
p
purple-train-14007
09/28/2021, 5:01 PMI added the key lemme try now
b
billowy-army-68599
09/28/2021, 5:02 PM
as @steep-toddler-94095 says, you can do:
Copy code
$env:PULUMI_CONFIG_PASSPHRASE_FILE="C:/Users/cglover/dev/emptywith
C:/Users/cglover/dev/emptyp
purple-train-14007
09/28/2021, 5:03 PMsorry catching up on thread bare with me a moment
ok made the file again and pointed to it. Same error
@billowy-army-68599 you want me to change the var but keep test?
per @billowy-army-68599 request I set it to test and tried as well. I think thats what he was asking
is it possible to make a change to the stack file I have in my Azure backend? Maybe that could prompt me to set the password to something?
lemme try doing this in the linux subsystem. Maybe that can be a work around
b
billowy-army-68599
09/28/2021, 5:18 PM
Does the existing stack have an empty password?
p
purple-train-14007
09/28/2021, 5:18 PMyep
b
billowy-army-68599
09/28/2021, 5:21 PM
yeah I'd change it to a string on another system, and avoid empty strings if you're using windows clients
p
purple-train-14007
09/28/2021, 5:21 PMShould put that on your site to prevent people from having a stroke lol
maybe a feature request to have an -empty flag on setting secrets to support not having one on a stack file. A lot of businesses have their own security stuff in place which make setting the password moot. Not to mention a lot of places are .net ecosystems like mine...except we used to be microsoft so especially so for us
Im setting up this linux subsystem right now. Ill let you all know if I can get it to work again
b
billowy-army-68599
09/28/2021, 5:27 PM
most organizations i've spoken to either use our key management, or specify a KMS key from their cloud provider. Passphrase security is usually the last resort, and only used for local storage during testing
I'd be interested to hear more about how you're handling the security. It seems you're also using OSS backends?
p
purple-train-14007
09/28/2021, 5:36 PMSo I was denied using your key management system by our security team including your SAAS service because you dont meet our compliance requirements. Thats what I was told at least
So for our backends we are using the cloud providers backend such as Az Blob and AWS S3
we have a bunch of self developed tools we use to encrypt them and a bunch of other stuff I dont have visibility into as I dont own the service
Update Able to select the stack on linux and am starting some testing to make sure all is well
If you guys can get SOC2 compliant and show proof on your site I can send that to our security and theyd more than likely let us use all your stuff
Thanks for all your help everyone. I greatly appreciate it! ❤️ pp wise
b
broad-dog-22463
09/28/2021, 5:52 PMwe are Soc2 compliant Topher
b
billowy-army-68599
09/28/2021, 6:00 PM
you can also use your own KMS key to encrypt secrets:
https://www.pulumi.com/blog/peace-of-mind-with-cloud-secret-providers/
🙌 1
p
purple-train-14007
09/28/2021, 6:03 PMOh sweet. This has changed since I last submitted your software to EGS last October
Do you happen to have an official attestation of compliance?
b
billowy-army-68599
09/28/2021, 6:04 PM
if you email support@pulumi.com we can help you here
p
purple-train-14007
09/28/2021, 6:04 PMThanks a lot and Im assuming you are also have PCI compliance certification as well right?
Im re-reading the notes from this proposal I did to security and those were two things that ended being the blocker
b
billowy-army-68599
09/28/2021, 6:07 PM
that I'm not sure of offhand, the support email is your best next step
p
purple-train-14007
09/28/2021, 6:20 PMSent the email! 🙂
b
billowy-army-68599
09/28/2021, 6:22 PM
just got it! thanks!
p
purple-train-14007
09/28/2021, 6:23 PMIf I can get an attestation of compliance then I can get my procurement team to contact you and get licenses for the SAAS solution.