Provider properties such as `apiToken` are not automatically treated as sensitive data.

[MitchellGerdisch]

Describe what happened

When setting properties for an explicitly declared Okta provider, properties that are sensitive values are not encrypted and are stored in plaintext.

Using this code:

const oktaProvider = new okta.Provider("oktaprovider", {
  apiToken: process.env.API_TOKEN, 
})

const datadogProvider = new datadog.Provider("datadogProvider", {
  apiKey: process.env.API_TOKEN,  
})

• export API_TOKEN=<SOME-VALUE>
• pulumi preview --diff
  • Note that the okta provider apiToken is in plaintext while the datadog provider apiKey is marked as secret

There are number of properties for the provider that should be marked as secret:

• accessToken
• apiToken
• privateKey

Sample program

See above

Log output

N/A

Affected Resource(s)

No response

Output of pulumi about

CLI
Version 3.120.0 Go Version go1.22.4 Go Compiler gc

Plugins KIND NAME VERSION resource datadog 4.28.0 language nodejs unknown resource okta 4.9.0

Host
OS darwin Version 13.6.7 Arch x86_64

Backend
Name pulumi.com

Dependencies: NAME VERSION @pulumi/okta 4.9.0 @pulumi/pulumi 3.120.0 @types/node 18.19.38 typescript 5.5.2 @pulumi/datadog 4.28.0

Additional context

Modifying the sample code to use pulumi.secret(process.env.API_TOKEN) works around this.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[guineveresaenger]

Hi @MitchellGerdisch - thank you for letting us know. These values should ideally be marked as Sensitive upstream, but are not. We can add these at the Pulumi schema level.