Channels
#general
Title
s
swift-island-2275
10/13/2021, 9:08 AMHi, is there a way to use secrets from a Azure KeyVault directly instead of storing them as Pulumi secrets ? My scenario is that I would like to get connection string from a KV and use it to create a database. However, I don't want to store it as Pulumi secret, I just want to fetch it into memory and use it.
p
prehistoric-activity-61023
10/13/2021, 9:18 AMwhat do you mean by “KV” here (I’ve assumed key-value but it doesn’t really make sense to me)?
s
swift-island-2275
10/13/2021, 9:23 AMyeah sorry, KV = Azure KeyVault :)
d
dry-sugar-63293
10/13/2021, 10:50 AM@swift-island-2275 are you generating this as a random password as in like a Pulumi resource and then storing it in your KeyVault? Or is the storage action out of scope of your provisioning?
s
swift-island-2275
10/13/2021, 11:04 AMYeah so basically I am creating a resource (mongodb cluster) and then I store the connection string (admin) to the cluster in a KeyVault - this is one stack. I've another stack which allows me to create mongo database, but in order to do it, I need an admin connection string. I do now want to store this connection string as Pulumi secret/output due to security reasons.
p
prehistoric-activity-61023
10/13/2021, 11:58 AM@swift-island-2275 what backend are you using for secret storage in pulumi? Why don’t you want to store connection string as Pulumi secret?
Secret outputs are encrypted and they are stored in defined secret backend - by default that’s Pulumi Service backend but it can be overridden to use different storage (such as Hashicorp Vault). Let me see if Azure KeyVault is supported (I suppose it is).
s
swift-island-2275
10/13/2021, 12:00 PMCompany policy, only KV. I use managed option.
p
prehistoric-activity-61023
10/13/2021, 12:01 PMI’d think about changing the secrets provider to
azurekeyvaultwill that work for you?
Another option I guess is to read the value from KV (probably using
readcan you paste here how you’re storing the connection string in KeyVault?
s
swift-island-2275
10/13/2021, 12:04 PMHmm, doesn't it work in a way that KV just provides an encryption key but the secrets are still stored in the Pulumi Store ? Only the encryption key comes from my KV instead of from Pulumi Store ?
p
prehistoric-activity-61023
10/13/2021, 12:06 PMHah, good question. I didn’t go deeper into this yet so I cannot say how it actually works under the hood (right now I’m using Pulumi Service as secret provider).
Considering they are called “encryption providers” you might be right.
I guess if the encrypted secret is stored outside of your org, that’s still a no-go for you company.
s
swift-island-2275
10/13/2021, 12:07 PMOk, yeah. That's how I understood it works. Unfortunately, due to company policy, storing any secrets in Pulumi Store is out of question.
yeah exactly.
p
prehistoric-activity-61023
10/13/2021, 12:07 PMIn that case, I’d try to simply read the value back but I haven’t tried that. Still, maybe that will help you (but you’ll need to test it yourself).
Considering you created a secret using:
Copy code
example_secret = azure.keyvault.Secret("exampleSecret",
value="szechuan",
key_vault_id=example_key_vault.id
)s
swift-island-2275
10/13/2021, 12:08 PMI will. Anyway, thank you very much for your time. I am now considering (as I am using .Net) to build a standard configuration with KeyVault provider.
p
prehistoric-activity-61023
10/13/2021, 12:09 PMyou should be able to read it back using:
Copy code
same_secret_but_different_variable = azure.keyvault.Secret("same_secret_but_different_variable", key_vault_id=example_key_vault.id)or better
export
id Copy code
# create secret key in Azure KeyVault (not sure if the below is correct but you have already written that part)
example_secret = azure.keyvault.Secret("exampleSecret",
value="szechuan",
key_vault_id=example_key_vault.id
)
pulumi.export("example_secret_id", example_secret.id)get Copy code
example_secret_id = GET VALUE USING STACK REFERENCE
example_secret_from_other_stack = azure.keyvault.Secret("example_secret_from_other_stack", id=example_secret_id)s
swift-island-2275
10/13/2021, 12:13 PMyeah I thought about stackreference but this basically stores the output on the Pulumi Store, so again secret outside of KV :)
p
prehistoric-activity-61023
10/13/2021, 12:13 PMnot really
read carefully my last response
it does not store the VALUE of the secret, just an identifier
s
swift-island-2275
10/13/2021, 12:14 PMa sorry yeah
p
prehistoric-activity-61023
10/13/2021, 12:14 PMsuch an identifier should not be considered a secret because in order to get the value based on it, you still have to have the access to Azure KV
s
swift-island-2275
10/13/2021, 12:15 PMok yeah, I will think about that
p
prehistoric-activity-61023
10/13/2021, 12:15 PMThat’s why I asked how you created it. Every (most?) resources can be read back using
getidlet me know if it works well for you 🙂
s
swift-island-2275
10/13/2021, 12:17 PMoo quite interesting, I'd say amazing, that's what I was actually looking for. A way to get a secret with pulumi without actually making the secret part of the stack
I will, thanks a lot !
p
prehistoric-activity-61023
10/13/2021, 12:17 PM(I cannot test it myself as I don’t have any Azure subscription but I can test the counterpart on GCP using their KMS)
s
swift-island-2275
10/13/2021, 12:18 PMI will test it 🙂 you already have helped me a lot
2 Views