https://pulumi.com logo
Join Slack
Powered by
How does pulumi mark str objects as secret when ge...
# python
b
How does pulumi mark str objects as secret when getting them from the config via require_object? Is it possible to check wether a str is marked as secret or not? I'd like to judge on that to decide if a value should go into a ConfigMap or a Secret in k8s.
b
@busy-branch-95201 if it's in configuration encrypted, it's a secret. you'd have to do 
pulumi config set foo bar --secret
for it to be marked as secret
you can use 
isSecret
to determine if it's a secret: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/pulumi/#isSecret
b
the isSecret function is exactly what I'm looking for. However I don't find it in the python docs.
b
it looks like a docs bug, it's definitely there: https://github.com/pulumi/pulumi/search?q=is_secret
I've opened this issue for the docs: https://github.com/pulumi/docs/issues/7000
b
I guess I'm stumbling accross this: https://github.com/pulumi/pulumi/issues/6531
I have a nested data structure where some values are encrypted or not and like to find out which of them are encrypted. The python debugger tells me it is a str object and just magically gets transformed into a secret when using it somewhere. Calling is_secret fails with 
AttributeError: 'str' object has no attribute 'is_secret'
.
Ok, it seems that in this case those are really str and just the pulumi wrapper seems to filter the prints. In this case I guess I have to take a different approach and judge on well known keys that should be secret.
p
One workaround would be to create separate keys 
config
and 
secrets
explicitly and differentiate based on that: So instead of:
Copy code
config:
  proj:data:
    my_values:
      plain_value: foo
      secure_value:
        secure: AAABAB+T(...)sEmx8=
you can have:
Copy code
config:
  proj:data:
    my_values:
      config:
        plain_value: foo
      secrets:
        secure_value:
          secure: AAABAB+T(...)sEmx8=
2 Views
Open in Slack
PreviousNext
Powered by