https://pulumi.com logo
Title
c

creamy-monkey-35142

02/13/2023, 6:05 AM
I’m thinking about give visibility to developers to able update Pulumi secret, but I don’t want developer install Pulumi directly on each laptop, so instead of do something like
pulumi config set --secret secretMessage "it's a secret to everybody"
then I want dev push secret string to our github repo like
v1:6N+U5QAQu244Jqp1:1G
, is possible to generate secret without install
pulumi
?
e

echoing-dinner-19531

02/13/2023, 11:12 AM
It's possible, you can look at the encryption code and copy what that does: For service secrets it's just a http call to the service: https://github.com/pulumi/pulumi/blob/master/pkg/secrets/service/manager.go#L46-L52 For the other secret stores it's an AES256 encryption packed into the format "v1:&lt;nonce&gt;:<base64 of encrypted value>": https://github.com/pulumi/pulumi/blob/master/sdk/go/common/resource/config/crypt.go#L169-L173
c

creamy-monkey-35142

02/13/2023, 11:25 AM
Interesting, should I share Symmetric Crypter Key to developers?
e

echoing-dinner-19531

02/13/2023, 11:26 AM
Well if you want them to be able to create secrets themselves then you'll have to.
But it's symmetric, so it means they can decrypt secrets as well
c

creamy-monkey-35142

02/13/2023, 11:29 AM
The context is I want developers have ability to update KV of Harshicopr Vault, but since we store Pulumi on Github, so I should find a proper way to do it without store KV raw value
e

echoing-dinner-19531

02/13/2023, 11:33 AM
I am not sure what best practice is around stuff like this. Probably depends on what exactly these secrets are, how sensitive they are, and if devs need read or just write access.
c

creamy-monkey-35142

02/13/2023, 11:34 AM
Thank for advising, I’ll find another way todo that