https://pulumi.com logo
Join Slack
Powered by
Anyone know how Im supposed to set these config pa...
# general
p
Anyone know how Im supposed to set these config passphrases? I am setting them to blank because we dont use pulumis secrets manager but rather have our own security internally that handles protecting our stacks. I looked at the feedback in the github repo and have tried all the things others have tried. Since none of this is working and since this basically stops me from updating my environment I put a note on the chocolatey repo about this issue and that they may run into it. This breaks customers just an FYI
b
Hi @purple-train-14007 - is this a new issue? or has this just started happening?
p
This happened to me earlier this week when I went to update my code but looking at your repo this is an ongoing issue and they keep getting closed but none of the newer versions of Pulumi are "fixing" it for me
b
can you link to some of the issues? we have lots of people setting this without issue on windows
p
I can see you guys merged this as a workaround
b
if you dump your env vars, do you see it set?
p
but for some reason setting this variable doesnt work in powershell. I tried $env:PULUMI_CONFIG_PASSPHRASE = "" and $PULUMI_CONFIG_PASSPHRASE = ""
Copy code
PUBLIC                         C:\Users\Public
PULUMI_CONFIG_PASSPHRASE       test
PyCharm Community Edition      C:\Program Files\JetBrains\PyCharm Community Edition 2020.2.3\bin;
Is there another way besides setting this variable?
maybe a way to get pulumi to prompt for passphrase again will work?
b
@broad-dog-22463 any ideas?
s
it looks like the env var didn't work for you but have you tried 
PULUMI_CONFIG_PASSPHRASE_FILE
?
p
I have, no dice
s
what about this? 
pulumi stack --stack SEA change-secrets-provider passphrase
p
Same error
I had tried that earlier today as well but retried just now ^
b
can you please file an issue in pulumi/pulumi for this? I haven't seen this before on a windows machine up to now
b
@purple-train-14007 is this definitely a stack that has no passphrase?
b
it looks like the issue here is windows not supporting empty environment variables...
b
I wonder if .... 
PULUMI_CONFIG_PASSPHRASE=" "
notice the empty space not ""
b
p
Ah yeah I added the space since it wouldnt keep the env var when I was setting it this morning
lemme try adding the regkey
b
this does seem to be a limitation of windows, rather than a pulumi issue. Would it be possible to keep the var as "test" like it is when you dump your values?
Copy code
$env:PULUMI_CONFIG_PASSPHRASE = "empty"
Would work
s
if it were just a limitation on windows wouldn't an empty passphrase file work? but topher said it didn't
b
that should work yes, but you'd need to set it to value with an empty file
p
I added the key lemme try now
b
as @steep-toddler-94095 says, you can do:
Copy code
$env:PULUMI_CONFIG_PASSPHRASE_FILE="C:/Users/cglover/dev/empty
as well
with 
C:/Users/cglover/dev/empty
being an empty file
p
sorry catching up on thread bare with me a moment
ok made the file again and pointed to it. Same error
@billowy-army-68599 you want me to change the var but keep test?
per @billowy-army-68599 request I set it to test and tried as well. I think thats what he was asking
is it possible to make a change to the stack file I have in my Azure backend? Maybe that could prompt me to set the password to something?
lemme try doing this in the linux subsystem. Maybe that can be a work around
b
Does the existing stack have an empty password?
p
yep
b
yeah I'd change it to a string on another system, and avoid empty strings if you're using windows clients
p
Should put that on your site to prevent people from having a stroke lol
maybe a feature request to have an -empty flag on setting secrets to support not having one on a stack file. A lot of businesses have their own security stuff in place which make setting the password moot. Not to mention a lot of places are .net ecosystems like mine...except we used to be microsoft so especially so for us
Im setting up this linux subsystem right now. Ill let you all know if I can get it to work again
b
most organizations i've spoken to either use our key management, or specify a KMS key from their cloud provider. Passphrase security is usually the last resort, and only used for local storage during testing
I'd be interested to hear more about how you're handling the security. It seems you're also using OSS backends?
p
So I was denied using your key management system by our security team including your SAAS service because you dont meet our compliance requirements. Thats what I was told at least
So for our backends we are using the cloud providers backend such as Az Blob and AWS S3
we have a bunch of self developed tools we use to encrypt them and a bunch of other stuff I dont have visibility into as I dont own the service
Update Able to select the stack on linux and am starting some testing to make sure all is well
If you guys can get SOC2 compliant and show proof on your site I can send that to our security and theyd more than likely let us use all your stuff
Thanks for all your help everyone. I greatly appreciate it! ❤️ pp wise
b
we are Soc2 compliant Topher
b
you can also use your own KMS key to encrypt secrets: https://www.pulumi.com/blog/peace-of-mind-with-cloud-secret-providers/
🙌 1
p
Oh sweet. This has changed since I last submitted your software to EGS last October
Do you happen to have an official attestation of compliance?
b
if you email support@pulumi.com we can help you here
p
Thanks a lot and Im assuming you are also have PCI compliance certification as well right?
Im re-reading the notes from this proposal I did to security and those were two things that ended being the blocker
b
that I'm not sure of offhand, the support email is your best next step
p
Sent the email! 🙂
b
just got it! thanks!
p
If I can get an attestation of compliance then I can get my procurement team to contact you and get licenses for the SAAS solution.
Open in Slack
PreviousNext
Powered by