Use different ACCESS_TOKENS for different Stacks #483
Assignees
Labels
impact/security
kind/bug
Some behavior is incorrect or out of spec
resolution/fixed
This issue was fixed
security
Milestone
Comments
breuerfelix
added
kind/bug
danielrbradley
added
security
impact/security
and removed
needs-triage
|
Hi @breuerfelix thanks for raising this issue with us. I've escalated this internally to investigate further. |
danielrbradley
added
the
p1
mikhailshilkov
removed
the
p1
|
The root cause of the issue seems to be that the Pulumi CLI gives lower priority to See: pulumi/pulumi#13919 |
This was referenced Sep 11, 2023
EronWright
added a commit
that referenced
this issue
Sep 22, 2023
<!--Thanks for your contribution. See [CONTRIBUTING](CONTRIBUTING.md)
for Pulumi's contribution guidelines.
Help us merge your changes more quickly by adding more details such
as labels, milestones, and reviewers.-->
### Proposed changes
Closes #483
This PR seeks to isolate the credentials associated with a given
`Stack`, to solve the problem of credentials leaking across stacks. Some
underlying details here:
1. Pulumi CLI stores login credentials in PULUMI_HOME (e.g.
`~/.pulumi/credentials.json`).
2. A side-effect of using `PULUMI_ACCESS_TOKEN` is that the CLI login
credentials are set.
4. Pulumi CLI prefers the persisted login credentials to
`PULUMI_ACCESS_TOKEN`.
This PR takes the conservative approach of encapsulating the PULUMI_HOME
into a per-stack working directory, as opposed to reusing `~/.pulumi`
across stacks. The working directory is retained across reconciliation
passes, and cleaned up during stack finalization. Note that the
_workspace_ directory is erased at the end of each reconciliation pass,
as is the current behavior.
This PR does NOT solve the (lack of) mutability of `PULUMI_ACCESS_TOKEN`
across stack updates.
_Note that this PR contains some commits (related to hacking on the
operator) that will be moved to a separate PR._
### Technical Details
Relevant terminology used within the controller codebase:
- **root directory** - a temporary directory for each stack, retained
until finalization
- **home directory** - the `PULUMI_HOME` directory, located within the
stack's root directory
- **workspace directory** - the Pulumi workspace directory containing
the program and stack configuration.
The current behavior of the operator is to erase the workspace directory
on each reconciliation pass, e.g. to ensure a clean git checkout. This
PR retains this behavior while keeping the home directory across passes,
e.g. to reuse the providers.
### Related issues (optional)
- pulumi/pulumi#13919
|
Are you going to release a new Version soon? Since may there has only been one new Github Tag and i really wanna rollout these new changes in order to get my cluster functioning again. BTW thanks for the fix! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened?
I set up 2 Stacks with 2 different Stack Resources. I used EnvRefs to specify my Pulumi Access Token:
I also tried setting the token via SecretRef
If i got only one Stack or if i can access all Stacks with the same token, it works perfectly fine. If i have two Stacks that need two different Access Tokens, it does not work anymore.
It always uses the Token from the first Stack it runs (after restarting the pod), and keeps using it for all Stacks it processes. It errors with "Organisation not found" and if i have a look at the "wrong" organisation, it tried to create the Stack in the wrong org because it havent found it there. Even though i specified the correct Tokens in each Stack Resource.
Expected Behavior
Use the correct Token.
Steps to reproduce
Create Resources as described.
Output of
pulumi aboutI run version 1.13.0.
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: