When setting properties for an explicitly declared Okta provider, properties that are sensitive values are not encrypted and are stored in plaintext.
Using this code:
const oktaProvider = new okta.Provider("oktaprovider", {
apiToken: process.env.API_TOKEN,
})
const datadogProvider = new datadog.Provider("datadogProvider", {
apiKey: process.env.API_TOKEN,
})
export API_TOKEN=<SOME-VALUE>
pulumi preview --diff
Note that the okta provider apiToken is in plaintext while the datadog provider apiKey is marked as secret
There are number of properties for the provider that should be marked as secret:
accessToken
apiToken
privateKey
Sample program
See above
Log output
N/A
Affected Resource(s)
No response
Output of pulumi about
CLI
Version 3.120.0
Go Version go1.22.4
Go Compiler gc
Plugins
KIND NAME VERSION
resource datadog 4.28.0
language nodejs unknown
resource okta 4.9.0
Host
OS darwin
Version 13.6.7
Arch x86_64
Backend
Name pulumi.com
Dependencies:
NAME VERSION
@pulumi/okta 4.9.0
@pulumi/pulumi 3.120.0
@types/node 18.19.38
typescript 5.5.2
@pulumi/datadog 4.28.0
Additional context
Modifying the sample code to use pulumi.secret(process.env.API_TOKEN) works around this.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Hi @MitchellGerdisch - thank you for letting us know. These values should ideally be marked as Sensitive upstream, but are not. We can add these at the Pulumi schema level.
Describe what happened
When setting properties for an explicitly declared Okta provider, properties that are sensitive values are not encrypted and are stored in plaintext.
Using this code:
export API_TOKEN=<SOME-VALUE>
pulumi preview --diff
apiToken
is in plaintext while the datadog providerapiKey
is marked as secretThere are number of properties for the provider that should be marked as secret:
Sample program
See above
Log output
N/A
Affected Resource(s)
No response
Output of
pulumi about
CLI
Version 3.120.0 Go Version go1.22.4 Go Compiler gc
Plugins KIND NAME VERSION resource datadog 4.28.0 language nodejs unknown resource okta 4.9.0
Host
OS darwin Version 13.6.7 Arch x86_64
Backend
Name pulumi.com
Dependencies: NAME VERSION @pulumi/okta 4.9.0 @pulumi/pulumi 3.120.0 @types/node 18.19.38 typescript 5.5.2 @pulumi/datadog 4.28.0
Additional context
Modifying the sample code to use
pulumi.secret(process.env.API_TOKEN)
works around this.Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).