https://pulumi.com logo
#general
Title
# general
h

high-grass-3103

02/17/2022, 4:50 PM
Is it just me, or unsecret isn't doing anything?
a

agreeable-eye-87399

02/17/2022, 5:49 PM
can you give an example? I’m not 100% sure?
h

high-grass-3103

02/17/2022, 5:50 PM
Copy code
pulumi.unsecret(cfg.requireSecret('password')).apply(<http://pulumi.log.info|pulumi.log.info>);
results with [secret]
m

miniature-musician-31262

02/17/2022, 7:02 PM
I’ve hit this myself. It’s working, but the CLI will essentially never emit a secret value, even one that’s been unwrapped, because all secret values are masked as
[secret]
. I’ll see if I can dig up a reference for you.
Ok, my question was asked and answered in another Slack, so I can’t link directly to it, but the gist is that the CLI masks all secret config with
[secret]
: https://github.com/pulumi/pulumi/blob/master/pkg/engine/events.go#L208-L225
h

high-grass-3103

02/17/2022, 7:15 PM
But secret values used as inputs are unwrapped anyway. What’s the purpose of explicit unwrap?
m

miniature-musician-31262

02/17/2022, 7:43 PM
TBH, I don’t have a use case off the top of my head, but I’m sure someone else could come up with one. 🙂 One thing that might be relevant is that only explicitly unwrapped secrets are surfaceable as plain text in checkpoint (state) files — e.g., given the following code:
You end up with this in the state file:
But you’re right that you’re generally able to extract a raw string, write that string to a file, etc., without having to explicitly unwrap it. I suspect there are cases where unsecret is either useful or necessary — I just haven’t yet hit one myself. 🙂 Hope this helps, though!
👍 1
h

high-grass-3103

02/17/2022, 9:08 PM
Cheers
I guess I’m looking for
Copy code
pulumi output --show-secrets
m

miniature-musician-31262

02/17/2022, 10:12 PM
oh, yes! if you’ve defined secrets as outputs, then you can absolutely do this. 🙂
3 Views