Ensure EncryptionKey is regenerated when changing secrets provider #5842

stack72 · 2020-12-01T12:49:58Z

when rotating a key in the Azure KeyVault secrets provider, we had
the following error:

error: secrets (code=InvalidArgument): keyvault.BaseClient#Decrypt: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadParameter" Message="The parameter is incorrect.\r\n"

This was because we were not regenerating the EncrytpionKey when
we were changing the secrets provider. Therefore, we now ensure
that this key is regenerated and we can successfully change the secrets provider

To test this, I was able to run the following:

az group create -l westus2 -n stack72-secret-provider

az keyvault create -l westus2 -n stack72kv10 --resource-group stack72-secret-provider
az keyvault create -l westus2 -n stack72kv20 --resource-group stack72-secret-provider

az keyvault key create --name pulumi-secret --vault-name stack72kv10
az keyvault key create --name pulumi-secret --vault-name stack72kv20

az keyvault set-policy --name stack72kv10 --object-id <my subscription id> --key-permissions decrypt get create delete list update import backup restore recover encrypt
az keyvault set-policy --name stack72kv20 --object-id <my subscription id> --key-permissions decrypt get create delete list update import backup restore recover encrypt

This set up a ResourceGroup with 2 KeyVaults and a secret in each

I could then initialize a stack:

pulumi stack init dev --secrets-provider="azurekeyvault://stack72kv10.vault.azure.net/keys/pulumi-secret"

I added a secret and ensured it was able to be decrypted:

pulumi config set MyDBRootPassword Password1234! --secret

pulumi config --show-secrets
KEY               VALUE
MyDBRootPassword  Password1234!

I then changed the secrets provider:

pulumi stack change-secrets-provider "azurekeyvault://stack72kv20.vault.azure.net/keys/pulumi-secret"

I then was able to decrypt the secrets:

pulumi config --show-secrets
KEY               VALUE
MyDBRootPassword  Password1234!

Fixes: #5835 when rotating a key in the Azure KeyVault secrets provider, we had the following error: ``` error: secrets (code=InvalidArgument): keyvault.BaseClient#Decrypt: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadParameter" Message="The parameter is incorrect.\r\n" ``` This was because we were not regenerating the EncrytpionKey when we were changing the secrets provider. Therefore, we now ensure that this key is regenerated and we can successfully change the secrets provider ``` ▶ pulumi stack init dev --secrets-provider="azurekeyvault://stack72kv10.vault.azure.net/keys/pulumi-secret" Created stack 'dev' ▶ pulumi config set MyDBRootPassword Password1234! --secret ▶ pulumi config --show-secrets KEY VALUE MyDBRootPassword Password1234! ▶ pulumi stack change-secrets-provider "azurekeyvault://stack72kv20.vault.azure.net/keys/pulumi-secret" ▶ pulumi config --show-secrets KEY VALUE MyDBRootPassword Password1234! ```

stack72 self-assigned this Dec 1, 2020

stack72 requested a review from justinvp December 1, 2020 12:59

justinvp approved these changes Dec 1, 2020

View reviewed changes

stack72 merged commit eee053c into master Dec 1, 2020

pulumi-bot deleted the fix-change-secrets-provider branch December 1, 2020 15:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ensure EncryptionKey is regenerated when changing secrets provider #5842

Ensure EncryptionKey is regenerated when changing secrets provider #5842

stack72 commented Dec 1, 2020 •

edited

Loading

Ensure EncryptionKey is regenerated when changing secrets provider #5842

Ensure EncryptionKey is regenerated when changing secrets provider #5842

Conversation

stack72 commented Dec 1, 2020 • edited Loading

stack72 commented Dec 1, 2020 •

edited

Loading