https://pulumi.com logo
Title
b

busy-branch-95201

01/11/2022, 6:15 PM
How does pulumi mark str objects as secret when getting them from the config via require_object? Is it possible to check wether a str is marked as secret or not? I'd like to judge on that to decide if a value should go into a ConfigMap or a Secret in k8s.
b

billowy-army-68599

01/11/2022, 6:19 PM
@busy-branch-95201 if it's in configuration encrypted, it's a secret. you'd have to do
pulumi config set foo bar --secret
for it to be marked as secret
you can use
isSecret
to determine if it's a secret: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/pulumi/#isSecret
b

busy-branch-95201

01/11/2022, 6:24 PM
the isSecret function is exactly what I'm looking for. However I don't find it in the python docs.
b

billowy-army-68599

01/11/2022, 6:26 PM
it looks like a docs bug, it's definitely there: https://github.com/pulumi/pulumi/search?q=is_secret
I've opened this issue for the docs: https://github.com/pulumi/docs/issues/7000
b

busy-branch-95201

01/11/2022, 6:28 PM
I guess I'm stumbling accross this: https://github.com/pulumi/pulumi/issues/6531
I have a nested data structure where some values are encrypted or not and like to find out which of them are encrypted. The python debugger tells me it is a str object and just magically gets transformed into a secret when using it somewhere. Calling is_secret fails with
AttributeError: 'str' object has no attribute 'is_secret'
.
Ok, it seems that in this case those are really str and just the pulumi wrapper seems to filter the prints. In this case I guess I have to take a different approach and judge on well known keys that should be secret.
p

prehistoric-activity-61023

01/12/2022, 8:52 AM
One workaround would be to create separate keys
config
and
secrets
explicitly and differentiate based on that: So instead of:
config:
  proj:data:
    my_values:
      plain_value: foo
      secure_value:
        secure: AAABAB+T(...)sEmx8=
you can have:
config:
  proj:data:
    my_values:
      config:
        plain_value: foo
      secrets:
        secure_value:
          secure: AAABAB+T(...)sEmx8=