https://pulumi.com logo
Title
o

orange-terabyte-97049

01/09/2023, 11:24 AM
Hello everyone, we are trying to push an rds instance provisioning on github, but without commiting the passwords over there. Is there a way we can add it to github secrets and it can be injected during runtime?
c

creamy-monkey-35142

01/09/2023, 11:52 AM
I think you can add it into ENV, like with python
os.getenv()
s

stocky-restaurant-98004

01/09/2023, 2:35 PM
That's correct - GH secrets are available as env vars. You can also generate the master PW all in Pulumi using the
random.RandomPassword
resource and Pulumi can be responsible for the secret. You can then retrieve the value via
pulumi stack output --show-secrets
o

orange-terabyte-97049

01/09/2023, 3:00 PM
Oh that's nice! Thank you both for your help. 🙌🏿
c

creamy-monkey-35142

01/09/2023, 3:46 PM
@stocky-restaurant-98004 do you know what is the ENV name of
encryptionsalt
?
s

stocky-restaurant-98004

01/09/2023, 3:54 PM
@creamy-monkey-35142 Salts are not secrets, so you can store them in plaintext. What resource are you using with
encryptionsalt
? I don't see it in the docs for
random.RandomPassword
nor the Random provider.
c

creamy-monkey-35142

01/09/2023, 3:59 PM
the
encryptionsalt
is using in python class
StackSettings
_deserialize
the description is
This is this stack’s base64 encoded encryption salt. Only used for passphrase-based secrets providers
so it’s not a plaintext, I think it’s a secret and should not be on git repository and is it should be ENV var instead of file?
s

stocky-restaurant-98004

01/09/2023, 4:06 PM
Ahh, ok. That's why I haven't seen it - I nearly always use the Service backend. No, salts are safe to store in plaintext. It's not a secret.
c

creamy-monkey-35142

01/09/2023, 4:10 PM
thank, I use passphare instead of AWS KMS for testing purpose and I’ll change to KMS later 😄