-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secret.get does has the Secret's contents in plaintext in the statefile #2300
Comments
Thank you for the report, @mike-chen-samsung, this sounds indeed concerning. A first glance at the code shows that We'll investigate further today. |
I was able to repro this locally with a default Minikube installation, your instructions above (except import * as k8s from "@pulumi/kubernetes";
k8s.core.v1.Secret.get("mysecret", "default/mysecret") |
checkpointObject checks for secrets in the input, but in this case the input is of Kind=="Secret" but ContainsSecret() is false. I'm not quite sure yet that this is the best fix but it works in my local repro.
Hi @mike-chen-samsung, the latest pulumi-kubernetes v3.24.0 has this fixed. Thank you again for reporting it! |
What happened?
If you look at the resource in the statefile, its
data
will be (encoded) in plaintext underoutputs.__inputs.data
. This is a security concern! Not only is it unencrypted in state, but it will sometimes show as a diff inpulumi up --diff --refresh
Expected Behavior
As a general rule, I expect that if an
outputs.xxx
value is encrypted, its correspondingoutputs.__inputs.xxx
value should be encrypted tooSteps to reproduce
Secret.get("mysecret", "default/mysecret")
pulumi stack export > state.json
outputs.__inputs.data
is unencrypted (thoughoutputs.data
is properly encrypted)Output of
pulumi about
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: