search

pulumi / pulumi-azure-native

Azure Native Provider
Apache License 2.0
126 stars 33 forks source link

I cannot get KeyVault secret value #1422

Open jjindrich opened 2 years ago

jjindrich commented 2 years ago

Hello!

Issue details

I cannot get Azure Keyvault secret value. Value property is empty. See documentation - https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/getsecret/#secretpropertiesresponse - there is stated that Value is not returned

I'm migrating existing Pulumi code in C# into Azure Native provider.

Old Azure provider allow to get value: https://www.pulumi.com/registry/packages/azure/api-docs/keyvault/getsecret/#result

Steps to reproduce

I cannot get Azure Keyvault secret value. Value property is empty. See documentation - https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/getsecret/#secretpropertiesresponse - there is stated that Value is not returned

I'm migrating existing Pulumi code in C# into Azure Native provider.

Old Azure provider allow to get value: https://www.pulumi.com/registry/packages/azure/api-docs/keyvault/getsecret/#result

leezen commented 2 years ago

Per the documentation, this is by design and you should "use the data-plane REST service for interaction with vault secrets." The provider provides some conveniences for interacting w/ the Azure SDK (see https://www.pulumi.com/registry/packages/azure-native/api-docs/authorization/getclientconfig/ and https://www.pulumi.com/registry/packages/azure-native/api-docs/authorization/getclienttoken/ as well as https://github.com/pulumi/examples/blob/master/azure-cs-call-azure-api/Program.cs for an example)

jjindrich commented 2 years ago

Yes, I fully agree with you that is ideal to use it via data plane. But there are some situations when you need to get secret value in code. As I'm referring, previous Azure provider allow it. Why is not implemented in Azure Native provider ?

leezen commented 2 years ago

@jjindrich The Azure Native provider relies upon calling the underlying Azure ARM REST API, which doesn't support passing back this value. We could potentially overlay a resource that performs the data plane API call, but given there's a way to do this directly via the Azure SDK, I'm not sure there's much to be gained from implementing that. Is a reason you wouldn't want to use the Azure SDK directly in your Pulumi program?

jjindrich commented 2 years ago

Yes, that would be possible to access via Azure Sdk "directly". But can I share security context from pulumi? Otherwise I have to have another configuration for this access.

leezen commented 2 years ago

@jjindrich Yup -- you can. That's what the getClientConfig and getClientToken calls I linked are for. Please let me know if that solves your issue or if you need further assistance.

mikhailshilkov commented 2 years ago

I'll take the liberty to re-open this and track as an enhancement. We may want to add an overlay function (or fix the existing one) to retrieve the actual value. Note that ARM templates have a special way to retrieve a value with a reference image and Bicep provides getSecret sugar on top of it.

kAleksei commented 1 year ago

Any updates regarding this issue when it is not possible to use azure-native library to get secret values from Azure Key Vault?

nicklasfrahm commented 1 year ago

We had a similar issue. To work around this limitation, we utilize the azure-classic provider, but inherit the provider configuration from the parent component to allow us to control the subscription ID.

clientConfig, err := authorization.GetClientConfig(ctx, pulumi.Parent(component))
if err != nil {
  return nil, err
}

azureClassicProvider, err := azureClassic.NewProvider(ctx, clientConfig.SubscriptionId, &azureClassic.ProviderArgs{
  TenantId:       pulumi.StringPtr(os.Getenv("ARM_TENANT_ID")),
  ClientId:       pulumi.StringPtr(os.Getenv("ARM_CLIENT_ID")),
  ClientSecret:   pulumi.StringPtr(os.Getenv("ARM_CLIENT_SECRET")),
  SubscriptionId: pulumi.StringPtr(clientConfig.SubscriptionId),
})
if err != nil {
  return nil, err
}

adopatkv := keyvault.LookupKeyVaultOutput(ctx, keyvault.LookupKeyVaultOutputArgs{
  Name:              pulumi.String("kv-vks-ci-agent-001"),
  ResourceGroupName: pulumi.String("rg-vks-agent-secrets-prd-001"),
}, pulumi.Provider(azureClassicProvider))

adopat := keyvault.LookupSecretOutput(ctx, keyvault.LookupSecretOutputArgs{
  Name:       pulumi.String("ado-pat"),
  KeyVaultId: adopatkv.Id(),
}, pulumi.Provider(azureClassicProvider))
jbrezina commented 1 year ago

Can you please reopen the issue and track it as an enhancement as @mikhailshilkov mentioned above?

mortaelth commented 2 months ago

still needed in order to move from the classic provider