https://pulumi.com logo
Join Slack
Powered by
Hi, is there a way to use secrets from a Azure Key...
# general
s
Hi, is there a way to use secrets from a Azure KeyVault directly instead of storing them as Pulumi secrets ? My scenario is that I would like to get connection string from a KV and use it to create a database. However, I don't want to store it as Pulumi secret, I just want to fetch it into memory and use it.
p
what do you mean by “KV” here (I’ve assumed key-value but it doesn’t really make sense to me)?
s
yeah sorry, KV = Azure KeyVault :)
d
@swift-island-2275 are you generating this as a random password as in like a Pulumi resource and then storing it in your KeyVault? Or is the storage action out of scope of your provisioning?
s
Yeah so basically I am creating a resource (mongodb cluster) and then I store the connection string (admin) to the cluster in a KeyVault - this is one stack. I've another stack which allows me to create mongo database, but in order to do it, I need an admin connection string. I do now want to store this connection string as Pulumi secret/output due to security reasons.
p
@swift-island-2275 what backend are you using for secret storage in pulumi? Why don’t you want to store connection string as Pulumi secret?
Secret outputs are encrypted and they are stored in defined secret backend - by default that’s Pulumi Service backend but it can be overridden to use different storage (such as Hashicorp Vault). Let me see if Azure KeyVault is supported (I suppose it is).
s
Company policy, only KV. I use managed option.
p
I’d think about changing the secrets provider to 
azurekeyvault
so you can normally use Pulumi outputs without having them stored in Pulumi Service backend, see: https://www.pulumi.com/docs/intro/concepts/secrets/#available-encryption-providers
will that work for you?
Another option I guess is to read the value from KV (probably using 
read
method on the proper Azure resource). As far as I understand, the first option I suggested would do that more or less automatically for you.
can you paste here how you’re storing the connection string in KeyVault?
s
Hmm, doesn't it work in a way that KV just provides an encryption key but the secrets are still stored in the Pulumi Store ? Only the encryption key comes from my KV instead of from Pulumi Store ?
p
Hah, good question. I didn’t go deeper into this yet so I cannot say how it actually works under the hood (right now I’m using Pulumi Service as secret provider).
Considering they are called “encryption providers” you might be right.
I guess if the encrypted secret is stored outside of your org, that’s still a no-go for you company.
s
Ok, yeah. That's how I understood it works. Unfortunately, due to company policy, storing any secrets in Pulumi Store is out of question.
yeah exactly.
p
In that case, I’d try to simply read the value back but I haven’t tried that. Still, maybe that will help you (but you’ll need to test it yourself).
Considering you created a secret using:
Copy code
example_secret = azure.keyvault.Secret("exampleSecret",
    value="szechuan",
    key_vault_id=example_key_vault.id
)
s
I will. Anyway, thank you very much for your time. I am now considering (as I am using .Net) to build a standard configuration with KeyVault provider.
p
you should be able to read it back using:
Copy code
same_secret_but_different_variable = azure.keyvault.Secret("same_secret_but_different_variable", key_vault_id=example_key_vault.id)
or better
export 
id
property from the secret value in the first stack:
Copy code
# create secret key in Azure KeyVault (not sure if the below is correct but you have already written that part)
example_secret = azure.keyvault.Secret("exampleSecret",
    value="szechuan",
    key_vault_id=example_key_vault.id
)

pulumi.export("example_secret_id", example_secret.id)
in another stack you can get this value using StackReference (and because it’s an identifier and not the value itself that shouldn’t be a problem for your company) and use 
get
method to get the resource from the cloud:
Copy code
example_secret_id = GET VALUE USING STACK REFERENCE

example_secret_from_other_stack = azure.keyvault.Secret("example_secret_from_other_stack", id=example_secret_id)
s
yeah I thought about stackreference but this basically stores the output on the Pulumi Store, so again secret outside of KV :)
p
not really
read carefully my last response
it does not store the VALUE of the secret, just an identifier
s
a sorry yeah
p
such an identifier should not be considered a secret because in order to get the value based on it, you still have to have the access to Azure KV
s
ok yeah, I will think about that
p
That’s why I asked how you created it. Every (most?) resources can be read back using 
get
function, considering you have some kind of handle to them. Using 
id
property is the best from my experience because it’s unique.
let me know if it works well for you 🙂
s
oo quite interesting, I'd say amazing, that's what I was actually looking for. A way to get a secret with pulumi without actually making the secret part of the stack
I will, thanks a lot !
p
(I cannot test it myself as I don’t have any Azure subscription but I can test the counterpart on GCP using their KMS)
s
I will test it 🙂 you already have helped me a lot
6 Views
Open in Slack
PreviousNext
Powered by