Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use different ACCESS_TOKENS for different Stacks #483

Closed
breuerfelix opened this issue Aug 24, 2023 · 3 comments · Fixed by #490
Closed

Use different ACCESS_TOKENS for different Stacks #483

breuerfelix opened this issue Aug 24, 2023 · 3 comments · Fixed by #490
Assignees
Labels
impact/security kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed security
Milestone

Comments

@breuerfelix
Copy link

breuerfelix commented Aug 24, 2023

What happened?

I set up 2 Stacks with 2 different Stack Resources. I used EnvRefs to specify my Pulumi Access Token:

  envRefs:
    PULUMI_ACCESS_TOKEN:
      type: Literal
      literal:
        value: <redacted>

I also tried setting the token via SecretRef

    PULUMI_ACCESS_TOKEN:
      type: Secret
      secret:
        name: tokens
        key: accessToken

If i got only one Stack or if i can access all Stacks with the same token, it works perfectly fine. If i have two Stacks that need two different Access Tokens, it does not work anymore.

It always uses the Token from the first Stack it runs (after restarting the pod), and keeps using it for all Stacks it processes. It errors with "Organisation not found" and if i have a look at the "wrong" organisation, it tried to create the Stack in the wrong org because it havent found it there. Even though i specified the correct Tokens in each Stack Resource.

Expected Behavior

Use the correct Token.

Steps to reproduce

Create Resources as described.

Output of pulumi about

I run version 1.13.0.

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@breuerfelix breuerfelix added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Aug 24, 2023
@danielrbradley danielrbradley added security impact/security and removed needs-triage Needs attention from the triage team labels Aug 25, 2023
@danielrbradley
Copy link
Member

Hi @breuerfelix thanks for raising this issue with us.

I've escalated this internally to investigate further.

@danielrbradley danielrbradley added the p1 A bug severe enough to be the next item assigned to an engineer label Aug 25, 2023
@mikhailshilkov mikhailshilkov added this to the 0.94 milestone Sep 1, 2023
@mikhailshilkov mikhailshilkov removed the p1 A bug severe enough to be the next item assigned to an engineer label Sep 1, 2023
@EronWright EronWright self-assigned this Sep 6, 2023
@EronWright
Copy link
Contributor

EronWright commented Sep 9, 2023

The root cause of the issue seems to be that the Pulumi CLI gives lower priority to PULUMI_ACCESS_TOKEN than to any existing credentials in ~/.pulumi/credentials.json. In other words, the first access token that is used is cached and reused. Note that the credentials cache is shared for all stacks.

See: pulumi/pulumi#13919

EronWright added a commit that referenced this issue Sep 22, 2023
<!--Thanks for your contribution. See [CONTRIBUTING](CONTRIBUTING.md)
    for Pulumi's contribution guidelines.

    Help us merge your changes more quickly by adding more details such
    as labels, milestones, and reviewers.-->

### Proposed changes
Closes #483 

This PR seeks to isolate the credentials associated with a given
`Stack`, to solve the problem of credentials leaking across stacks. Some
underlying details here:
1. Pulumi CLI stores login credentials in PULUMI_HOME (e.g.
`~/.pulumi/credentials.json`).
2. A side-effect of using `PULUMI_ACCESS_TOKEN` is that the CLI login
credentials are set.
4. Pulumi CLI prefers the persisted login credentials to
`PULUMI_ACCESS_TOKEN`.

This PR takes the conservative approach of encapsulating the PULUMI_HOME
into a per-stack working directory, as opposed to reusing `~/.pulumi`
across stacks. The working directory is retained across reconciliation
passes, and cleaned up during stack finalization. Note that the
_workspace_ directory is erased at the end of each reconciliation pass,
as is the current behavior.

This PR does NOT solve the (lack of) mutability of `PULUMI_ACCESS_TOKEN`
across stack updates.

_Note that this PR contains some commits (related to hacking on the
operator) that will be moved to a separate PR._

### Technical Details
Relevant terminology used within the controller codebase:
- **root directory** - a temporary directory for each stack, retained
until finalization
- **home directory** - the `PULUMI_HOME` directory, located within the
stack's root directory
- **workspace directory** - the Pulumi workspace directory containing
the program and stack configuration.

The current behavior of the operator is to erase the workspace directory
on each reconciliation pass, e.g. to ensure a clean git checkout. This
PR retains this behavior while keeping the home directory across passes,
e.g. to reuse the providers.

### Related issues (optional)
- pulumi/pulumi#13919
@pulumi-bot pulumi-bot added the resolution/fixed This issue was fixed label Sep 22, 2023
@breuerfelix
Copy link
Author

Are you going to release a new Version soon? Since may there has only been one new Github Tag and i really wanna rollout these new changes in order to get my cluster functioning again.

BTW thanks for the fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
impact/security kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants