https://pulumi.com logo
s

swift-island-2275

10/13/2021, 9:08 AM
Hi, is there a way to use secrets from a Azure KeyVault directly instead of storing them as Pulumi secrets ? My scenario is that I would like to get connection string from a KV and use it to create a database. However, I don't want to store it as Pulumi secret, I just want to fetch it into memory and use it.
p

prehistoric-activity-61023

10/13/2021, 9:18 AM
what do you mean by “KV” here (I’ve assumed key-value but it doesn’t really make sense to me)?
s

swift-island-2275

10/13/2021, 9:23 AM
yeah sorry, KV = Azure KeyVault :)
d

dry-sugar-63293

10/13/2021, 10:50 AM
@swift-island-2275 are you generating this as a random password as in like a Pulumi resource and then storing it in your KeyVault? Or is the storage action out of scope of your provisioning?
s

swift-island-2275

10/13/2021, 11:04 AM
Yeah so basically I am creating a resource (mongodb cluster) and then I store the connection string (admin) to the cluster in a KeyVault - this is one stack. I've another stack which allows me to create mongo database, but in order to do it, I need an admin connection string. I do now want to store this connection string as Pulumi secret/output due to security reasons.
p

prehistoric-activity-61023

10/13/2021, 11:58 AM
@swift-island-2275 what backend are you using for secret storage in pulumi? Why don’t you want to store connection string as Pulumi secret?
Secret outputs are encrypted and they are stored in defined secret backend - by default that’s Pulumi Service backend but it can be overridden to use different storage (such as Hashicorp Vault). Let me see if Azure KeyVault is supported (I suppose it is).
s

swift-island-2275

10/13/2021, 12:00 PM
Company policy, only KV. I use managed option.
p

prehistoric-activity-61023

10/13/2021, 12:01 PM
I’d think about changing the secrets provider to
azurekeyvault
so you can normally use Pulumi outputs without having them stored in Pulumi Service backend, see: https://www.pulumi.com/docs/intro/concepts/secrets/#available-encryption-providers
will that work for you?
Another option I guess is to read the value from KV (probably using
read
method on the proper Azure resource). As far as I understand, the first option I suggested would do that more or less automatically for you.
can you paste here how you’re storing the connection string in KeyVault?
s

swift-island-2275

10/13/2021, 12:04 PM
Hmm, doesn't it work in a way that KV just provides an encryption key but the secrets are still stored in the Pulumi Store ? Only the encryption key comes from my KV instead of from Pulumi Store ?
p

prehistoric-activity-61023

10/13/2021, 12:06 PM
Hah, good question. I didn’t go deeper into this yet so I cannot say how it actually works under the hood (right now I’m using Pulumi Service as secret provider).
Considering they are called “encryption providers” you might be right.
I guess if the encrypted secret is stored outside of your org, that’s still a no-go for you company.
s

swift-island-2275

10/13/2021, 12:07 PM
Ok, yeah. That's how I understood it works. Unfortunately, due to company policy, storing any secrets in Pulumi Store is out of question.
yeah exactly.
p

prehistoric-activity-61023

10/13/2021, 12:07 PM
In that case, I’d try to simply read the value back but I haven’t tried that. Still, maybe that will help you (but you’ll need to test it yourself).
Considering you created a secret using:
Copy code
example_secret = azure.keyvault.Secret("exampleSecret",
    value="szechuan",
    key_vault_id=example_key_vault.id
)
s

swift-island-2275

10/13/2021, 12:08 PM
I will. Anyway, thank you very much for your time. I am now considering (as I am using .Net) to build a standard configuration with KeyVault provider.
p

prehistoric-activity-61023

10/13/2021, 12:09 PM
you should be able to read it back using:
Copy code
same_secret_but_different_variable = azure.keyvault.Secret("same_secret_but_different_variable", key_vault_id=example_key_vault.id)
or better
export
id
property from the secret value in the first stack:
Copy code
# create secret key in Azure KeyVault (not sure if the below is correct but you have already written that part)
example_secret = azure.keyvault.Secret("exampleSecret",
    value="szechuan",
    key_vault_id=example_key_vault.id
)

pulumi.export("example_secret_id", example_secret.id)
in another stack you can get this value using StackReference (and because it’s an identifier and not the value itself that shouldn’t be a problem for your company) and use
get
method to get the resource from the cloud:
Copy code
example_secret_id = GET VALUE USING STACK REFERENCE

example_secret_from_other_stack = azure.keyvault.Secret("example_secret_from_other_stack", id=example_secret_id)
s

swift-island-2275

10/13/2021, 12:13 PM
yeah I thought about stackreference but this basically stores the output on the Pulumi Store, so again secret outside of KV :)
p

prehistoric-activity-61023

10/13/2021, 12:13 PM
not really
read carefully my last response
it does not store the VALUE of the secret, just an identifier
s

swift-island-2275

10/13/2021, 12:14 PM
a sorry yeah
p

prehistoric-activity-61023

10/13/2021, 12:14 PM
such an identifier should not be considered a secret because in order to get the value based on it, you still have to have the access to Azure KV
s

swift-island-2275

10/13/2021, 12:15 PM
ok yeah, I will think about that
p

prehistoric-activity-61023

10/13/2021, 12:15 PM
That’s why I asked how you created it. Every (most?) resources can be read back using
get
function, considering you have some kind of handle to them. Using
id
property is the best from my experience because it’s unique.
let me know if it works well for you 🙂
s

swift-island-2275

10/13/2021, 12:17 PM
oo quite interesting, I'd say amazing, that's what I was actually looking for. A way to get a secret with pulumi without actually making the secret part of the stack
I will, thanks a lot !
p

prehistoric-activity-61023

10/13/2021, 12:17 PM
(I cannot test it myself as I don’t have any Azure subscription but I can test the counterpart on GCP using their KMS)
s

swift-island-2275

10/13/2021, 12:18 PM
I will test it 🙂 you already have helped me a lot
2 Views