Stack outputs show secrets parameters when parent is exported #2862
Labels
impact/security
kind/bug
Some behavior is incorrect or out of spec
p0
A bug severe enough to interrupt existing work
Milestone
Pulumi Devs,
Thanks for taking a look at this. I've noticed that attributes of resources that contain a secret value are not encrypted in the stack when the parent resource is exported. However, individual references to that attribute as an export are encrypted. In both examples, the output is correctly masked. My expectation is that the secret never shows up in plaintext in the stack export in either case. This is almost the inverse of this issue: #2756.
To reproduce, setup a new typescript project (using pulumi 0.17.18 and node 12.4.0):
Create a secret:
Edit index.ts:
Create the stack:
If you inspect the stack via
pulumi stack export
(or by looking at the local stack directly), the text "super-pet" exists in plaintext as an output ofmypet
but not ofmyPetPrefix
. I would expect it to be ciphertext in all cases.Thanks for taking a look at this issue! Let me know if I can provide any other information to assist with debugging.
The text was updated successfully, but these errors were encountered: