pulumi-aws icon indicating copy to clipboard operation
pulumi-aws copied to clipboard

Published 20 hours ago verified publisher icon pulumi

aws.secretsmanager.getSecretVersion doesn't mark secretString and secretBinary as sensitive

Open pbzdyl opened this issue 3 years ago • 2 comments

Related Slack discussion: https://pulumi-community.slack.com/archives/CRH5ENVDX/p1618397713307500

It seems that aws.secretsmanager.getSecretVersion data source doesn't mark secretString and secretBinary as sensitive attributes and they get stored in the state in plaintext rather than encrypted with the stack encryption provider.

Also if one of these attributes is exposed as a stack output or as input to another resource, it also is stored in plain in the stack output or another resource input data in the state.

import * as aws from "@pulumi/aws";
import * as pulumi from "@pulumi/pulumi";

const config = new pulumi.Config();

const secretVersion = aws.secretsmanager.getSecretVersion({
    secretId: config.require("secretArn"),
});

export const secretString = secretVersion.then(secretVersion => secretVersion.secretString);

pbzdyl avatar Apr 16 '21 08:04 pbzdyl

@pbzdyl For now, you wrap the promise with pulumi.secret to ensure it gets marked as secret.

leezen avatar Apr 20 '21 18:04 leezen

Currently impossible to fix in the provider as it needs https://github.com/pulumi/pulumi/issues/12710

t0yv0 avatar Apr 22 '24 20:04 t0yv0