pulumi icon indicating copy to clipboard operation
pulumi copied to clipboard
verified publisher icon pulumi

`pulumi stack output` returns secrets from config as plaintext

Open pawelprazak opened this issue 2 years ago • 2 comments

What happened?

pulumi stack output returns secrets from config as plaintext

Example

import * as pulumi from "@pulumi/pulumi";

const config = new pulumi.Config();
export const test = config.require("test");
export const password = pulumi.secret("asdf");

pulumi up

this shows correctly, bot as secret

An here the second secret is in plain text:

pulumi stack output --json
{
  "password": "[secret]",
  "test": "asdf"
}

pulumi stack output
Current stack outputs (2):
    OUTPUT    VALUE
    password  [secret]
    test      asdf

pulumi stack output test
asdf

Output of pulumi about

pulumi about CLI Version 3.94.0 Go Version go1.21.3 Go Compiler gc

Plugins NAME VERSION nodejs unknown

Host OS darwin Version 14.1 Arch arm64

This project is written in nodejs: executable='/opt/homebrew/bin/node' version='v21.1.0'

Current Stack: pprazak/test/dev

TYPE URN pulumi:pulumi:Stack urn:pulumi:dev::test::pulumi:pulumi:Stack::test-dev

Found no pending operations associated with dev

Backend Name pulumi.com URL https://app.pulumi.com/pprazak User pprazak Organizations pprazak, besom Token type personal

Dependencies: NAME VERSION @pulumi/pulumi 3.94.0 @types/node 16.18.61

Additional context

Discovered during Besom SDK integration tests.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

pawelprazak avatar Nov 15 '23 13:11 pawelprazak

Is "test" marked as a secret in the config file? Or are you expecting the auto-filter to kick in here because it has the same value as another output explicitly marked secret?

Frassle avatar Nov 15 '23 13:11 Frassle

I've used this command:

pulumi config set --secret test asdf

And this is the result Pulumi.dev.yaml:

  test:test:
    secure: AAABAKTt+IJyyaBGSs4A6iCFNyY0Ci693wdVdUt+ZL1arOfc

I've called up twice, after adding each secret, this is CLI relevant output fragment from the second run:

Outputs:
    password: [secret]
  + test    : "[secret]"

pawelprazak avatar Nov 15 '23 14:11 pawelprazak

This repros as written. The value of the test configuration is also visible in plain text in the state file, both in stack outputs and in any resource inputs where it's used.

pulumi up shows both as secrets:

    password: [secret]
    test    : "[secret]"

but notice the quotes around the test value: it got masked out by our output filtering mechanism that detected the secretty config value in output.

In contrast, pulumi stack output does not read config or run code, so it has nothing to base the masking process on.

The correct way to fix this from user's point of view is to use requireSecret instead of require:

export const test = config.requireSecret("test");

I cross-checked with Python and .NET SDKs and they behave exactly the same way. So this seems to be "by design".

We could possibly fail or warn when users try to require a secret value, but this sounds like a substantial breaking change in behavior. Anyway, opening it as a separate issue: https://github.com/pulumi/pulumi/issues/16383

mikhailshilkov avatar Jun 12 '24 16:06 mikhailshilkov