Closed aureq closed 1 month ago
Thank you for filing this issue!
I was wondering about the same thing awhile ago, and filed this issue
It looks like if the secret value is not in config but made secret runtime, it will not be covered up on output.
Could you try this with a secret value in config instead?
@IaroslavTitov Could you explain what you would like me to try?
@IaroslavTitov Could you explain what you would like me to try?
Instead of using pulumi.Output.secret()
, add the secret value into config using pulumi config set --secret
, then use it using .requireSecret
According to Justin's reply in that issue, this way it will be covered up. If I understand his response correctly, the behaviour in this bug is by design
@IaroslavTitov @justinvp While this may be "by design", in some situation I don't think this is desired at all. For example, if I use the TLS provider to generate a private key and then inject that key into ESC, then if an error occurs, 1) the private key is displayed on the terminal and 2) the private key (because it was successfully created as a resource) remains unchanged for the following run.
And since the private key has been revealed (and stored in Pulumi logs, and potentially in CI/CD logs), rotation is now required but cannot be done directly at a code level.
"""A Python Pulumi program"""
import yaml
import pulumi
import pulumi_pulumiservice as pulumiservice
import pulumi_tls as tls
private_key = tls.PrivateKey("test-key", algorithm="ECDSA", ecdsa_curve="P384")
environment = pulumiservice.Environment("test-environment",
name="test-environment",
organization=pulumi.get_organization(),
yaml = pulumi.Output.all(
pulumi.Output.secret('DWedwije87dcweijdjj78e6ytgh'),
private_key.private_key_pem).apply(lambda args:
yaml.dump(
{
'codeSecret': {
'fn::secret': args[0]
},
'privateKey': {
'fn::secret': args[1]
}
}
)
)
)
@komalali The output is like this
What happened?
When creating a new ESC Environment using this provider, but submitting an incorrect input as part of the
yaml
argument, when applying the change, the Pulumi CLI errors ✔. However, when it errors it dumps the Environment content (as passed to the code) to the console ❌.This is especially problematic because secrets present would be exposed on the user's terminal or in a CI/CD log.
Note:
p1
because of the security implications. Feel free to downgrade if that's not appropriate.Example
Output of
pulumi about
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).