creamy-window-21036
10/11/2022, 7:40 PMAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
from pulumi import automation as auto
def program():
pass
auto.create_stack(
stack_name="Dev",
project_name="MyfirstProject",
program=program,
opts=auto.LocalWorkspaceOptions(
project_settings=auto.ProjectSettings(
name="Test",
runtime="python",
backend=auto.ProjectBackend(url="<s3://test-bucket>")
)
)
)
able-ability-11203
10/11/2022, 7:44 PMAWS_ACCESS_KEY_ID=12312 AWS_SECRET_ACCESS_KEY=1231 AWS_SESSION_TOKEN=132 pulumi up
This works just fine, will sit neatly in your bash history, and, most importantly, save you from leaking creds into code.creamy-window-21036
10/11/2022, 7:48 PMable-ability-11203
10/11/2022, 7:49 PMcreamy-window-21036
10/11/2022, 7:50 PMable-ability-11203
10/11/2022, 7:52 PMstack.set_config()
for that case, it should perfectly handle aws:secretKey
and other secrets, as denoted here.
Thus the stack and provider thereof should recieve secrets and work properly.creamy-window-21036
10/11/2022, 7:53 PMdamp-rain-39201
10/11/2022, 7:54 PMbillowy-army-68599
10/11/2022, 7:54 PMpulumi config set aws:accessKey <something> --secret
pulumi config set aws:secretKet <something> --secret
creamy-window-21036
10/11/2022, 7:54 PMbillowy-army-68599
10/11/2022, 7:55 PMable-ability-11203
10/11/2022, 7:55 PMpulumi config set
for CLI is stack.set_config()
for automation 😉secret=True
, I believe, while having also some general passphrase configured.creamy-window-21036
10/11/2022, 8:04 PMbillowy-army-68599
10/11/2022, 8:12 PMBe careful, for that automation seems to create stacks on disk,The stacks are created in your backened
and could leak these secrets thereIf you use
secret=True
it’s encryptedcreamy-window-21036
10/11/2022, 8:22 PMbillowy-army-68599
10/11/2022, 8:23 PMauto.ProjectBackend(url="<s3://test-bucket>")
creamy-window-21036
10/11/2022, 8:24 PMbillowy-army-68599
10/11/2022, 8:25 PMcreamy-window-21036
10/11/2022, 8:29 PMfrom pulumi import automation as auto
creds = {
"aws_access_key_id": sts["AccessKeyId"],
"aws_secret_access_key": sts["SecretAccessKey"],
"aws_region": "us-east-2",
"aws_session_token": sts["SessionToken"],
# "pulumi_config_passphrase": "pass_p",
}
def program():
pass
stack = auto.create_stack(
stack_name="Dev",
project_name="MyfirstProject",
program=program,
opts=auto.LocalWorkspaceOptions(
project_settings=auto.ProjectSettings(
name="Test",
runtime="python",
backend=auto.ProjectBackend(url="<s3://test-bucket/SampleStack>")
)
)
)
stack.set_config("aws:accessKey", auto.ConfigValue(value=creds["aws_access_key_id"]))
stack.set_config("aws:secretKey", auto.ConfigValue(value=creds["aws_secret_access_key"]))
stack.set_config("aws:token", auto.ConfigValue(value=creds["aws_session_token"]))
stack.set_config("aws:region", auto.ConfigValue(value="us-east-2"))
stack.refresh(on_output=print)
stack.up(on_output=print, color="always")
error: unable to check if bucket <s3://test-bucket/SampleStack> is accessible: blob (code=Unknown): NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
billowy-army-68599
10/11/2022, 9:24 PM