b

    bland-lawyer-98859

    4 months ago
    Hello 🙂 I have a question about masking secrets in the pulumi preview output : We create an AWS secret and I don't want the "secret_string" value to be shown in the pulumi preview output. How can I do that ? Python pulumi code :
    secret_version = aws.secretsmanager.SecretVersion(f"aws_secretversion_{secret_name}", secret_id=secret.id, secret_string=json.dumps(secret_value))
    Pulumi preview output :
    [urn=urn:pulumi:dev::snowflake::aws:secretsmanager/secretVersion:SecretVersion::aws_secretversion_snowflake/user/dev_usr_finops_api]
             [provider=urn:pulumi:dev::snowflake::pulumi:providers:aws::default_4_38_1::04da6b54-80e4-46f7-96ec-b56ff0331ba9]
             secretId    : output<string>
             secretString: (json) {
                 password         : "nDXw\">)ElJK=D+4$IvyJoBrbXR.LNF"
                 username         : "TEST"
             }
    m

    millions-furniture-75402

    4 months ago
    In the
    opts
    for the resource declaration:
    { additionalSecretOutputs: ["secretString"] },
    b

    bland-lawyer-98859

    4 months ago
    Oh thanks for your answer.
    But it didn't work : Pulumi code :
    aws.secretsmanager.SecretVersion(
    f"aws_secretversion_{secret_name}",
    secret_id=secret.id,            secret_string=json.dumps(secret_value),             opts=ResourceOptions(additional_secret_outputs=["secretString"]))
    (I've tried with "secret_string" instead of secretString, same situation) Pulumi preview :
    aws:secretsmanager/secretVersion:SecretVersion: (create)
            [urn=urn:pulumi:dev::snowflake::aws:secretsmanager/secretVersion:SecretVersion::aws_secretversion_snowflake/user/dev_usr_finops_api]
            [provider=urn:pulumi:dev::snowflake::pulumi:providers:aws::default_4_38_1::04da6b54-80e4-46f7-96ec-b56ff0331ba9]
            secretId    : output<string>
            secretString: (json) {
                password         : "3BY,&LwsG__\\=)0/MUch[Te=J)zh[5"
                username         : "TEST"
            }
    Am i missing something ?
    e

    echoing-dinner-19531

    4 months ago
    That looks like a bug, can you raise an issue at github.com/pulumi/pulumi so we can track that? Setting additional secret outputs should be sufficient to get that masked as [secret]
    b

    bland-lawyer-98859

    4 months ago
    Thanks @echoing-dinner-19531, I opened an issue : https://github.com/pulumi/pulumi/issues/9581