Pulumi CLI shouldn't persist credentials when picked up via environment variables #13919
Assignees
Labels
area/backends
State storage (filestate/httpstate/etc.)
area/cli
UX of using the CLI (args, output, logs)
impact/security
kind/bug
Some behavior is incorrect or out of spec
Comments
ringods
added
kind/bug
Frassle
added
area/cli
6 tasks
This was referenced Sep 16, 2023
EronWright
added a commit
to pulumi/pulumi-kubernetes-operator
that referenced
this issue
Sep 22, 2023
<!--Thanks for your contribution. See [CONTRIBUTING](CONTRIBUTING.md)
for Pulumi's contribution guidelines.
Help us merge your changes more quickly by adding more details such
as labels, milestones, and reviewers.-->
### Proposed changes
Closes #483
This PR seeks to isolate the credentials associated with a given
`Stack`, to solve the problem of credentials leaking across stacks. Some
underlying details here:
1. Pulumi CLI stores login credentials in PULUMI_HOME (e.g.
`~/.pulumi/credentials.json`).
2. A side-effect of using `PULUMI_ACCESS_TOKEN` is that the CLI login
credentials are set.
4. Pulumi CLI prefers the persisted login credentials to
`PULUMI_ACCESS_TOKEN`.
This PR takes the conservative approach of encapsulating the PULUMI_HOME
into a per-stack working directory, as opposed to reusing `~/.pulumi`
across stacks. The working directory is retained across reconciliation
passes, and cleaned up during stack finalization. Note that the
_workspace_ directory is erased at the end of each reconciliation pass,
as is the current behavior.
This PR does NOT solve the (lack of) mutability of `PULUMI_ACCESS_TOKEN`
across stack updates.
_Note that this PR contains some commits (related to hacking on the
operator) that will be moved to a separate PR._
### Technical Details
Relevant terminology used within the controller codebase:
- **root directory** - a temporary directory for each stack, retained
until finalization
- **home directory** - the `PULUMI_HOME` directory, located within the
stack's root directory
- **workspace directory** - the Pulumi workspace directory containing
the program and stack configuration.
The current behavior of the operator is to erase the workspace directory
on each reconciliation pass, e.g. to ensure a clean git checkout. This
PR retains this behavior while keeping the home directory across passes,
e.g. to reuse the providers.
### Related issues (optional)
- pulumi/pulumi#13919
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened?
The
PULUMI_ACCESS_TOKENis ignored when an existing Pulumi credentials file (~/.pulumi/credentials.json) exists. The credentials file shouldn't take precedence.Expected Behavior
The
PULUMI_ACCESS_TOKENenvironment variable, when defined, should be used instead of a credentials file from another run with another token value.I expect the Pulumi CLI to not write the Pulumi Access Token clear text to disk. Writing the credentials file is the cause of this issue: pulumi/pulumi-kubernetes-operator#483 (comment)
I implemented the 1Password Shell Plugin for Pulumi. Any shell plugin can be configured to inject a different credential for a folder, possibly including all subfolders. This makes for an easy way to separate personal and organizational access using different accounts. I had to patch the plugin to remove the credentials file to let the correct access token be picked up via the environment variable.
Steps to reproduce
The token for
project2is ignored, the existing credentials file is used andpulumiwill report an access error if the token fromproject1doens't provide access to the stacks ofproject2.Output of
pulumi aboutAny Pulumi CLI version.
Additional context
Related:
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: