https://pulumi.com logo
#getting-started
Title
# getting-started
e

echoing-oil-42947

03/13/2022, 9:20 PM
👋 Quick question, is it possible to use a k8s secret to get a vault token and use that in a provider? In theory it seems to be yes, but vault is giving 403 during the preview step (which makes sense as that secret likely hasn't been fetched yet)
l

little-cartoon-10569

03/13/2022, 9:36 PM
You want to construct a provider using a value stored in the cloud? You'll have to fetch that value yourself using another SDK, or at least another provider that doesn't depend on the value stored remotely.
e

echoing-dinner-19531

03/13/2022, 9:45 PM
You want to do this all in one Pulumi program? It's a bit odd because we expect provider config to be known values, but you could wrap a load of program inside an apply call such that it only runs once the secret is made. Does mean preview won't be able to show you what's going to happen. I'd think this is probably better done as one Pulumi program to make the secret and then using a stack reference in a second program to get hold of it.
e

echoing-oil-42947

03/13/2022, 9:46 PM
Gotcha, I'll take a deeper look into Stack References; the secret is initially created from a sidecar I'm using to auto initialize vault (which also creates the secret), which may be a deeper anti-pattern, as this is my first foray into kubernetes in general
Essentially the goal overall is: Vault starts -> Gets initialized -> Token into secret Pull that token -> Use vault provider to create infrastructure credential and policy -> add credential and policy to other programs that need to interact with vault
e

echoing-dinner-19531

03/13/2022, 9:54 PM
That sounds like a reasonable flow but I don't know Vault very well. I'll ask internally if we've got good examples of using vault to set up other providers.
e

echoing-oil-42947

03/16/2022, 3:50 PM
Any examples pop up?
e

echoing-dinner-19531

03/16/2022, 3:55 PM
No 😞 I've bumped the question inside again.
e

echoing-oil-42947

03/16/2022, 5:23 PM
Thank you!
l

little-cartoon-10569

03/16/2022, 8:15 PM
So long as the vault isn't managed from within the same Pulumi program, this will work. Do you have some failing code you'd like to share?
6 Views