Pulumi CLI shouldn't persist credentials when picked up via environment variables #13919
Labels
area/backends
State storage (filestate/httpstate/etc.)
area/cli
UX of using the CLI (args, output, logs)
impact/security
kind/bug
Some behavior is incorrect or out of spec
What happened?
The
PULUMI_ACCESS_TOKEN
is ignored when an existing Pulumi credentials file (~/.pulumi/credentials.json
) exists. The credentials file shouldn't take precedence.Expected Behavior
The
PULUMI_ACCESS_TOKEN
environment variable, when defined, should be used instead of a credentials file from another run with another token value.I expect the Pulumi CLI to not write the Pulumi Access Token clear text to disk. Writing the credentials file is the cause of this issue: pulumi/pulumi-kubernetes-operator#483 (comment)
I implemented the 1Password Shell Plugin for Pulumi. Any shell plugin can be configured to inject a different credential for a folder, possibly including all subfolders. This makes for an easy way to separate personal and organizational access using different accounts. I had to patch the plugin to remove the credentials file to let the correct access token be picked up via the environment variable.
Steps to reproduce
The token for
project2
is ignored, the existing credentials file is used andpulumi
will report an access error if the token fromproject1
doens't provide access to the stacks ofproject2
.Output of
pulumi about
Any Pulumi CLI version.
Additional context
Related:
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: