https://pulumi.com logo
#general
Title
# general
v

victorious-sugar-42620

12/08/2021, 3:07 AM
hey guys, I have a object in my stack with some properties using secrets. For example:
Copy code
dev:ACCOUNTS:
  - pass:
      secure: v1:xxxxxxxxx
    user: admin
  - pass:
      secure: v1:yyyyyyyyy
    user: admin2
What I am trying to achieve is to get this, turn it into JSON and send it to my Node application as a environment variable. The problem is when I do something like this:
Copy code
const config = new Config();
config.requireSecretObject<any[]>('ACCOUNTS').apply(a => JSON.stringfy(a)); // Will produce "[{\"pass\":\"[secret]\",\"user\":\"admin\"},{\"pass\":\"[secret]\",\"user\":\"admin2\"}]"
JSON.stringfy(config.requireObject('ACCOUNTS')) // Will also produce "[{\"pass\":\"[secret]\",\"user\":\"admin\"},{\"pass\":\"[secret]\",\"user\":\"admin2\"}]"
I want the secret itself, the only reason I use it as a secret in the stack is to avoid it in plain text in the Github Repo. I have no problems with people being able to see it inside the TaskDefinition (since I am using AWS). How do I achieve this?
r

red-match-15116

12/08/2021, 3:28 AM
If you use
requireObject
instead of
requireSecretObject
it will use the plaintext version. But note that it will be saved to pulumi state as plaintext.
v

victorious-sugar-42620

12/08/2021, 3:37 AM
I have already tried this and it does not work
I have also tried
pulumi.unsecure
but it does not work either
Note that it works fine in the CLI
pulumi config --show-secrets
so it is not a stack bad configuration
r

red-match-15116

12/08/2021, 3:45 AM
Hmm... maybe it's because the whole object is not a secret but the individual keys are?
v

victorious-sugar-42620

12/08/2021, 3:46 AM
maybe...
It gives me this:
Copy code
"[{\"pass\":\"[secret]\",\"user\":\"admin\"},{\"pass\":\"[secret]\",\"user\":\"admin2\"}]"
It is strange because the CLI works fine
only the TS does not as expected
r

red-match-15116

12/08/2021, 3:50 AM
yeah I think it's probably a bug - but I do think it's related to the fact that the individual keys are secrets rather than the entire object which means that
unsecret
or
requireObject
don't unsecret the top-level object because it was never a secret in the first place.
What it should do is also unsecret the individual keys.. but it seems it is not doing that.
v

victorious-sugar-42620

12/08/2021, 3:52 AM
Yep, I might look into contributing tomorrow
But it seems pretty complicated for what I have seen so far