-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Re-enable warning when a secret config is read as a non-secret #7127
Comments
Thank you. This was more of an annoyance than anything. Pulumi already detects with a value is secret encoded via the presence of the Examples where this was a nuisance:
But we intentionally nest secrets within a value of the mapping/object:
|
If you read the object via |
Hmmm good point and I like that second option there as it keeps the secret within a normal configuration flexible. Interestingly enough I have been using Output.secret to generate secrets from vault using hvac directly as futures, but never thought to use this paradigm with the base configuration system.
Thanks!
… On Jun 14, 2021, at 4:42 PM, Justin Van Patten ***@***.***> wrote:
I don't see the purpose in telling users to specifically require a secret
If you read the object via require_object, the object will be deserialized and available to the program with plaintext values. master_password will be plaintext and passing it as an input to any resource will likely result in the value being stored in the state unencrypted. To avoid this, use require_object_secret, which returns the object wrapped as Output[T] marked as a secret, and pass individual values in the object elsewhere with apply (e.g. foobar.apply(lambda fb: fb.master_password)) to maintain the value's secretness. Alternatively, continue using require_object, but use output.Secret(foobar.master_password) before passing it as an input to a resource, if you want it to to remain a secret as it flows throughout the rest of the system.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Part of addressing this will be seeing if we can make the variables in the |
Giving my two cents: The issue occurs in both directions:
Both of these scenarios indicate that the config producers (users) and consumers (Pulumi programs or providers) are at odds about whether or not the value is a secret. To me, this isn't a "warning"-level offense; it's a blow-up-in-your-face offense. In the worst case, this indicates the secret is stored in plaintext in the repository; and in the best case it indicates the project or provider might not be cognizant of keeping the secret values safe. Users can control their config and Pulumi programs, but not necessarily providers; so I'd love if this could be configured as either a warning or an error, on a per-stack basis. Warnings might be annoying, but I'd much rather be annoyed than miss a potential security vulnerability. |
Furthermore to this, using the non-secret getter allows for the result to be exported as a plain text value in the stack output (no warnings, no errors). Maybe some thoughts here:
On 1. an extra option could be provided to allow a silent operation. The secret state of the value would be dependent of the way the value is stored in the configuration file. |
We recently added a warning when reading a secret config value as a non-secret (#6896 #7078 #7079 #7080). However, one issue we've run into is that many of our provider SDKs greedily read config values in a
config
module using the non-secret config APIs, which results in a warning if such values happen to be saved as secrets -- a warning that users can't really do anything about (see #7126). We're going to temporarily disable the new warning for now. This tracks re-enabling the warning without this issue.The text was updated successfully, but these errors were encountered: