Channels
#general
Title
# general
h
high-grass-3103
02/17/2022, 4:50 PMIs it just me, or unsecret isn't doing anything?
a
agreeable-eye-87399
02/17/2022, 5:49 PMcan you give an example? I’m not 100% sure?
h
high-grass-3103
02/17/2022, 5:50 PM Copy code
pulumi.unsecret(cfg.requireSecret('password')).apply(<http://pulumi.log.info|pulumi.log.info>);m
miniature-musician-31262
02/17/2022, 7:02 PMI’ve hit this myself. It’s working, but the CLI will essentially never emit a secret value, even one that’s been unwrapped, because all secret values are masked as
[secret]Ok, my question was asked and answered in another Slack, so I can’t link directly to it, but the gist is that the CLI masks all secret config with
[secret]h
high-grass-3103
02/17/2022, 7:15 PMBut secret values used as inputs are unwrapped anyway. What’s the purpose of explicit unwrap?
m
miniature-musician-31262
02/17/2022, 7:43 PMTBH, I don’t have a use case off the top of my head, but I’m sure someone else could come up with one. 🙂 One thing that might be relevant is that only explicitly unwrapped secrets are surfaceable as plain text in checkpoint (state) files — e.g., given the following code:
You end up with this in the state file:
But you’re right that you’re generally able to extract a raw string, write that string to a file, etc., without having to explicitly unwrap it. I suspect there are cases where unsecret is either useful or necessary — I just haven’t yet hit one myself. 🙂 Hope this helps, though!
👍 1
h
high-grass-3103
02/17/2022, 9:08 PMCheers
I guess I’m looking for
Copy code
pulumi output --show-secretsm
miniature-musician-31262
02/17/2022, 10:12 PMoh, yes! if you’ve defined secrets as outputs, then you can absolutely do this. 🙂
3 Views