pulumi
Private Keys as ESC secrets
What happened?
It appears that you can't send a RSA or any certificate into ESC as a secret or plan text. when either piping it or passing it as a value you will get this error
Error: bad flag syntax: -----BEGIN RSA PRIVATE KEY-----
Example
esc env set authentication/github-runner githubConfigSecret.github_app_private_key '{PASTE CERT HERE}' --secret
or
echo cert.crt | esc env set authentication/github-runner githubConfigSecret.github_app_private_key --secret
Output of pulumi about
CLI Version 3.150.0 Go Version go1.23.6 Go Compiler gc
Host OS darwin Version 15.3.1 Arch arm64
Backend Name pulumi.com URL https://app.pulumi.com/boost User boost Organizations boost Token type organization: boost Token name github actions token
Pulumi locates its logs in /var/folders/pb/jvr_jx9x6ds3fhck94kb66y80000gq/T/ by default
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@moos3 Hi, unfortunately this is a common issue with argument parsing libraries (including the one we use in esc); when your argument begins with an -, the argument is treated as a flag.
An easy workaround is to pass in --, which tells the parser to stop parsing flags. So for example:
esc env set --secret -- authentication/github-runner githubConfigSecret.github_app_private_key '{PASTE CERT HERE}'
Does this work for you?
