https://pulumi.com logo
Title
p

purple-train-14007

09/28/2021, 4:14 PM
Anyone know how Im supposed to set these config passphrases? I am setting them to blank because we dont use pulumis secrets manager but rather have our own security internally that handles protecting our stacks. I looked at the feedback in the github repo and have tried all the things others have tried. Since none of this is working and since this basically stops me from updating my environment I put a note on the chocolatey repo about this issue and that they may run into it. This breaks customers just an FYI
b

billowy-army-68599

09/28/2021, 4:24 PM
Hi @purple-train-14007 - is this a new issue? or has this just started happening?
p

purple-train-14007

09/28/2021, 4:26 PM
This happened to me earlier this week when I went to update my code but looking at your repo this is an ongoing issue and they keep getting closed but none of the newer versions of Pulumi are "fixing" it for me
b

billowy-army-68599

09/28/2021, 4:27 PM
can you link to some of the issues? we have lots of people setting this without issue on windows
p

purple-train-14007

09/28/2021, 4:27 PM
I can see you guys merged this as a workaround
b

billowy-army-68599

09/28/2021, 4:29 PM
if you dump your env vars, do you see it set?
p

purple-train-14007

09/28/2021, 4:29 PM
but for some reason setting this variable doesnt work in powershell. I tried $env:PULUMI_CONFIG_PASSPHRASE = "" and $PULUMI_CONFIG_PASSPHRASE = ""
PUBLIC                         C:\Users\Public
PULUMI_CONFIG_PASSPHRASE       test
PyCharm Community Edition      C:\Program Files\JetBrains\PyCharm Community Edition 2020.2.3\bin;
Is there another way besides setting this variable?
maybe a way to get pulumi to prompt for passphrase again will work?
b

billowy-army-68599

09/28/2021, 4:37 PM
@broad-dog-22463 any ideas?
s

steep-toddler-94095

09/28/2021, 4:39 PM
it looks like the env var didn't work for you but have you tried
PULUMI_CONFIG_PASSPHRASE_FILE
?
p

purple-train-14007

09/28/2021, 4:40 PM
I have, no dice
s

steep-toddler-94095

09/28/2021, 4:41 PM
what about this?
pulumi stack --stack SEA change-secrets-provider passphrase
p

purple-train-14007

09/28/2021, 4:51 PM
Same error
I had tried that earlier today as well but retried just now ^
b

billowy-army-68599

09/28/2021, 4:53 PM
can you please file an issue in pulumi/pulumi for this? I haven't seen this before on a windows machine up to now
b

broad-dog-22463

09/28/2021, 4:55 PM
@purple-train-14007 is this definitely a stack that has no passphrase?
b

billowy-army-68599

09/28/2021, 4:55 PM
it looks like the issue here is windows not supporting empty environment variables...
b

broad-dog-22463

09/28/2021, 4:56 PM
I wonder if ....
PULUMI_CONFIG_PASSPHRASE=" "
notice the empty space not ""
b

billowy-army-68599

09/28/2021, 4:57 PM
p

purple-train-14007

09/28/2021, 4:58 PM
Ah yeah I added the space since it wouldnt keep the env var when I was setting it this morning
lemme try adding the regkey
b

billowy-army-68599

09/28/2021, 5:00 PM
this does seem to be a limitation of windows, rather than a pulumi issue. Would it be possible to keep the var as "test" like it is when you dump your values?
$env:PULUMI_CONFIG_PASSPHRASE = "empty"
Would work
s

steep-toddler-94095

09/28/2021, 5:00 PM
if it were just a limitation on windows wouldn't an empty passphrase file work? but topher said it didn't
b

billowy-army-68599

09/28/2021, 5:01 PM
that should work yes, but you'd need to set it to value with an empty file
p

purple-train-14007

09/28/2021, 5:01 PM
I added the key lemme try now
b

billowy-army-68599

09/28/2021, 5:02 PM
as @steep-toddler-94095 says, you can do:
$env:PULUMI_CONFIG_PASSPHRASE_FILE="C:/Users/cglover/dev/empty
as well
with
C:/Users/cglover/dev/empty
being an empty file
p

purple-train-14007

09/28/2021, 5:03 PM
sorry catching up on thread bare with me a moment
ok made the file again and pointed to it. Same error
@billowy-army-68599 you want me to change the var but keep test?
per @billowy-army-68599 request I set it to test and tried as well. I think thats what he was asking
is it possible to make a change to the stack file I have in my Azure backend? Maybe that could prompt me to set the password to something?
lemme try doing this in the linux subsystem. Maybe that can be a work around
b

billowy-army-68599

09/28/2021, 5:18 PM
Does the existing stack have an empty password?
p

purple-train-14007

09/28/2021, 5:18 PM
yep
b

billowy-army-68599

09/28/2021, 5:21 PM
yeah I'd change it to a string on another system, and avoid empty strings if you're using windows clients
p

purple-train-14007

09/28/2021, 5:21 PM
Should put that on your site to prevent people from having a stroke lol
maybe a feature request to have an -empty flag on setting secrets to support not having one on a stack file. A lot of businesses have their own security stuff in place which make setting the password moot. Not to mention a lot of places are .net ecosystems like mine...except we used to be microsoft so especially so for us
Im setting up this linux subsystem right now. Ill let you all know if I can get it to work again
b

billowy-army-68599

09/28/2021, 5:27 PM
most organizations i've spoken to either use our key management, or specify a KMS key from their cloud provider. Passphrase security is usually the last resort, and only used for local storage during testing
I'd be interested to hear more about how you're handling the security. It seems you're also using OSS backends?
p

purple-train-14007

09/28/2021, 5:36 PM
So I was denied using your key management system by our security team including your SAAS service because you dont meet our compliance requirements. Thats what I was told at least
So for our backends we are using the cloud providers backend such as Az Blob and AWS S3
we have a bunch of self developed tools we use to encrypt them and a bunch of other stuff I dont have visibility into as I dont own the service
Update Able to select the stack on linux and am starting some testing to make sure all is well
If you guys can get SOC2 compliant and show proof on your site I can send that to our security and theyd more than likely let us use all your stuff
Thanks for all your help everyone. I greatly appreciate it! ❤️ 😛:😛-wise:
b

broad-dog-22463

09/28/2021, 5:52 PM
we are Soc2 compliant Topher
b

billowy-army-68599

09/28/2021, 6:00 PM
you can also use your own KMS key to encrypt secrets: https://www.pulumi.com/blog/peace-of-mind-with-cloud-secret-providers/
🙌 1
p

purple-train-14007

09/28/2021, 6:03 PM
Oh sweet. This has changed since I last submitted your software to EGS last October
Do you happen to have an official attestation of compliance?
b

billowy-army-68599

09/28/2021, 6:04 PM
if you email support@pulumi.com we can help you here
p

purple-train-14007

09/28/2021, 6:04 PM
Thanks a lot and Im assuming you are also have PCI compliance certification as well right?
Im re-reading the notes from this proposal I did to security and those were two things that ended being the blocker
b

billowy-army-68599

09/28/2021, 6:07 PM
that I'm not sure of offhand, the support email is your best next step
p

purple-train-14007

09/28/2021, 6:20 PM
Sent the email! 🙂
b

billowy-army-68599

09/28/2021, 6:22 PM
just got it! thanks!
p

purple-train-14007

09/28/2021, 6:23 PM
If I can get an attestation of compliance then I can get my procurement team to contact you and get licenses for the SAAS solution.