Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Output of get_secret_output is not marked as a secret #424

Open
SharpEdgeMarshall opened this issue Feb 29, 2024 · 2 comments
Open

The Output of get_secret_output is not marked as a secret #424

SharpEdgeMarshall opened this issue Feb 29, 2024 · 2 comments
Labels
impact/security kind/bug Some behavior is incorrect or out of spec

Comments

@SharpEdgeMarshall
Copy link

SharpEdgeMarshall commented Feb 29, 2024
edited
Loading

What happened?

Calling get_secret_output returns an Output that is not marked as secret and is shown in the preview if passed to other resources.

Example

Code:

credentials_data = pulumi_vault.generic.get_secret_output(path=f"rabbitmq/creds/my-role").data
provider = rabbitmq.Provider(
            "rabbitmq-provider",
            username=credentials_data.apply(lambda data: data["username"]),
            password=credentials_data.apply(lambda data: data["password"]),
        )

Preview diff:

+ pulumi:providers:rabbitmq: (create)
    [urn=URN]
    endpoint: [secret]
    password: "CLEAR_TEXT_PASSWORD"
    username: "CLEAR_TEXT_USERNAME"
    version : "3.3.1"

Workaround:

credentials_data = pulumi_vault.generic.get_secret_output(path=f"rabbitmq/creds/my-role").data
provider = rabbitmq.Provider(
            "rabbitmq-provider",
            username=pulumi.Output.secret(credentials_data.apply(lambda data: data["username"])),
            password=pulumi.Output.secret(credentials_data.apply(lambda data: data["password"])),
        )

Output of pulumi about

CLI
Version 3.106.0
Go Version go1.22.0
Go Compiler gc

Plugins
python unknown
rabbitmq 3.3.1
vault 5.20.0

Host
OS darwin
Version 14.3.1
Arch arm64

This project is written in python: executable='/Users/my-user/.pyenv/shims/python3' version='3.9.18'

Dependencies:
NAME VERSION
black 22.12.0
flake8 3.9.2
isort 5.12.0
mypy 0.910
pip 23.3.1
pulumi_rabbitmq 3.3.1
pulumi_vault 5.20.0
setuptools 69.0.2

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@SharpEdgeMarshall SharpEdgeMarshall added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Feb 29, 2024
@iwahbe iwahbe added impact/security and removed needs-triage Needs attention from the triage team labels Mar 4, 2024
@iwahbe
Copy link
Member

iwahbe commented Mar 4, 2024
edited
Loading

Hey @SharpEdgeMarshall. Thanks for bringing this to our attention.

The bridge correctly marks these function outputs as secret in the schema:

https://github.com/pulumi/pulumi-vault/blob/23d71ff5ce3685154d99cbed959e8a92cef57e82/provider/cmd/pulumi-resource-vault/schema.json#L31069-L31082

We see this take effect for the generic.Secret resource:

pulumi-vault/sdk/python/pulumi_vault/generic/secret.py

Line 357 in 23d71ff

secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["data", "dataJson"])

I don't see any similar code to pass secrets to resource options. I'll open an issue in pulumi/pulumi. (issue created)

In the mean time, you can call pulumi.Output.secret to convert non-secret outputs to secret values:

credentials_data = pulumi_vault.generic.get_secret_output(path=f"rabbitmq/creds/my-role").data
provider = rabbitmq.Provider(
            "rabbitmq-provider",
            username=pulumi.Output.secret(credentials_data.apply(lambda data: data["username"])),
            password=pulumi.Output.secret(credentials_data.apply(lambda data: data["password"])),
        )

@iwahbe iwahbe mentioned this issue Mar 4, 2024
Open
@SharpEdgeMarshall
Copy link
Author

SharpEdgeMarshall commented Mar 4, 2024
edited
Loading

Thank you @iwahbe for the answer, that's exactly what we ended up doing I simply forgot to add it to the issue. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact/security kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SharpEdgeMarshall @iwahbe