1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. kms
  5. getKMSSecretCiphertext
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

gcp.kms.getKMSSecretCiphertext

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

    !> Warning: This data source is deprecated. Use the gcp.kms.SecretCiphertext resource instead.

    This data source allows you to encrypt data with Google Cloud KMS and use the ciphertext within your resource definitions.

    For more information see the official documentation.

    NOTE: Using this data source will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.

    Example Usage

    First, create a KMS KeyRing and CryptoKey using the resource definitions:

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const myKeyRing = new gcp.kms.KeyRing("my_key_ring", {
        project: "my-project",
        name: "my-key-ring",
        location: "us-central1",
    });
    const myCryptoKey = new gcp.kms.CryptoKey("my_crypto_key", {
        name: "my-crypto-key",
        keyRing: myKeyRing.id,
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    my_key_ring = gcp.kms.KeyRing("my_key_ring",
        project="my-project",
        name="my-key-ring",
        location="us-central1")
    my_crypto_key = gcp.kms.CryptoKey("my_crypto_key",
        name="my-crypto-key",
        key_ring=my_key_ring.id)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		myKeyRing, err := kms.NewKeyRing(ctx, "my_key_ring", &kms.KeyRingArgs{
    			Project:  pulumi.String("my-project"),
    			Name:     pulumi.String("my-key-ring"),
    			Location: pulumi.String("us-central1"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = kms.NewCryptoKey(ctx, "my_crypto_key", &kms.CryptoKeyArgs{
    			Name:    pulumi.String("my-crypto-key"),
    			KeyRing: myKeyRing.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var myKeyRing = new Gcp.Kms.KeyRing("my_key_ring", new()
        {
            Project = "my-project",
            Name = "my-key-ring",
            Location = "us-central1",
        });
    
        var myCryptoKey = new Gcp.Kms.CryptoKey("my_crypto_key", new()
        {
            Name = "my-crypto-key",
            KeyRing = myKeyRing.Id,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.kms.KeyRing;
    import com.pulumi.gcp.kms.KeyRingArgs;
    import com.pulumi.gcp.kms.CryptoKey;
    import com.pulumi.gcp.kms.CryptoKeyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var myKeyRing = new KeyRing("myKeyRing", KeyRingArgs.builder()        
                .project("my-project")
                .name("my-key-ring")
                .location("us-central1")
                .build());
    
            var myCryptoKey = new CryptoKey("myCryptoKey", CryptoKeyArgs.builder()        
                .name("my-crypto-key")
                .keyRing(myKeyRing.id())
                .build());
    
        }
    }
    
    resources:
      myKeyRing:
        type: gcp:kms:KeyRing
        name: my_key_ring
        properties:
          project: my-project
          name: my-key-ring
          location: us-central1
      myCryptoKey:
        type: gcp:kms:CryptoKey
        name: my_crypto_key
        properties:
          name: my-crypto-key
          keyRing: ${myKeyRing.id}
    

    Next, encrypt some sensitive information and use the encrypted data in your resource definitions:

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const myPassword = gcp.kms.getKMSSecretCiphertext({
        cryptoKey: myCryptoKey.id,
        plaintext: "my-secret-password",
    });
    const instance = new gcp.compute.Instance("instance", {
        networkInterfaces: [{
            accessConfigs: [{}],
            network: "default",
        }],
        name: "test",
        machineType: "e2-medium",
        zone: "us-central1-a",
        bootDisk: {
            initializeParams: {
                image: "debian-cloud/debian-11",
            },
        },
        metadata: {
            password: myPassword.then(myPassword => myPassword.ciphertext),
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    my_password = gcp.kms.get_kms_secret_ciphertext(crypto_key=my_crypto_key["id"],
        plaintext="my-secret-password")
    instance = gcp.compute.Instance("instance",
        network_interfaces=[gcp.compute.InstanceNetworkInterfaceArgs(
            access_configs=[gcp.compute.InstanceNetworkInterfaceAccessConfigArgs()],
            network="default",
        )],
        name="test",
        machine_type="e2-medium",
        zone="us-central1-a",
        boot_disk=gcp.compute.InstanceBootDiskArgs(
            initialize_params=gcp.compute.InstanceBootDiskInitializeParamsArgs(
                image="debian-cloud/debian-11",
            ),
        ),
        metadata={
            "password": my_password.ciphertext,
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		myPassword, err := kms.GetKMSSecretCiphertext(ctx, &kms.GetKMSSecretCiphertextArgs{
    			CryptoKey: myCryptoKey.Id,
    			Plaintext: "my-secret-password",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = compute.NewInstance(ctx, "instance", &compute.InstanceArgs{
    			NetworkInterfaces: compute.InstanceNetworkInterfaceArray{
    				&compute.InstanceNetworkInterfaceArgs{
    					AccessConfigs: compute.InstanceNetworkInterfaceAccessConfigArray{
    						nil,
    					},
    					Network: pulumi.String("default"),
    				},
    			},
    			Name:        pulumi.String("test"),
    			MachineType: pulumi.String("e2-medium"),
    			Zone:        pulumi.String("us-central1-a"),
    			BootDisk: &compute.InstanceBootDiskArgs{
    				InitializeParams: &compute.InstanceBootDiskInitializeParamsArgs{
    					Image: pulumi.String("debian-cloud/debian-11"),
    				},
    			},
    			Metadata: pulumi.StringMap{
    				"password": pulumi.String(myPassword.Ciphertext),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var myPassword = Gcp.Kms.GetKMSSecretCiphertext.Invoke(new()
        {
            CryptoKey = myCryptoKey.Id,
            Plaintext = "my-secret-password",
        });
    
        var instance = new Gcp.Compute.Instance("instance", new()
        {
            NetworkInterfaces = new[]
            {
                new Gcp.Compute.Inputs.InstanceNetworkInterfaceArgs
                {
                    AccessConfigs = new[]
                    {
                        null,
                    },
                    Network = "default",
                },
            },
            Name = "test",
            MachineType = "e2-medium",
            Zone = "us-central1-a",
            BootDisk = new Gcp.Compute.Inputs.InstanceBootDiskArgs
            {
                InitializeParams = new Gcp.Compute.Inputs.InstanceBootDiskInitializeParamsArgs
                {
                    Image = "debian-cloud/debian-11",
                },
            },
            Metadata = 
            {
                { "password", myPassword.Apply(getKMSSecretCiphertextResult => getKMSSecretCiphertextResult.Ciphertext) },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.kms.KmsFunctions;
    import com.pulumi.gcp.kms.inputs.GetKMSSecretCiphertextArgs;
    import com.pulumi.gcp.compute.Instance;
    import com.pulumi.gcp.compute.InstanceArgs;
    import com.pulumi.gcp.compute.inputs.InstanceNetworkInterfaceArgs;
    import com.pulumi.gcp.compute.inputs.InstanceBootDiskArgs;
    import com.pulumi.gcp.compute.inputs.InstanceBootDiskInitializeParamsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var myPassword = KmsFunctions.getKMSSecretCiphertext(GetKMSSecretCiphertextArgs.builder()
                .cryptoKey(myCryptoKey.id())
                .plaintext("my-secret-password")
                .build());
    
            var instance = new Instance("instance", InstanceArgs.builder()        
                .networkInterfaces(InstanceNetworkInterfaceArgs.builder()
                    .accessConfigs()
                    .network("default")
                    .build())
                .name("test")
                .machineType("e2-medium")
                .zone("us-central1-a")
                .bootDisk(InstanceBootDiskArgs.builder()
                    .initializeParams(InstanceBootDiskInitializeParamsArgs.builder()
                        .image("debian-cloud/debian-11")
                        .build())
                    .build())
                .metadata(Map.of("password", myPassword.applyValue(getKMSSecretCiphertextResult -> getKMSSecretCiphertextResult.ciphertext())))
                .build());
    
        }
    }
    
    resources:
      instance:
        type: gcp:compute:Instance
        properties:
          networkInterfaces:
            - accessConfigs:
                - {}
              network: default
          name: test
          machineType: e2-medium
          zone: us-central1-a
          bootDisk:
            initializeParams:
              image: debian-cloud/debian-11
          metadata:
            password: ${myPassword.ciphertext}
    variables:
      myPassword:
        fn::invoke:
          Function: gcp:kms:getKMSSecretCiphertext
          Arguments:
            cryptoKey: ${myCryptoKey.id}
            plaintext: my-secret-password
    

    The resulting instance can then access the encrypted password from its metadata and decrypt it, e.g. using the Cloud SDK):

    $ curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/attributes/password \
    > | base64 -d | gcloud kms decrypt \
    > --project my-project \
    > --location us-central1 \
    > --keyring my-key-ring \
    > --key my-crypto-key \
    > --plaintext-file - \
    > --ciphertext-file - \
    my-secret-password
    

    Using getKMSSecretCiphertext

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getKMSSecretCiphertext(args: GetKMSSecretCiphertextArgs, opts?: InvokeOptions): Promise<GetKMSSecretCiphertextResult>
    function getKMSSecretCiphertextOutput(args: GetKMSSecretCiphertextOutputArgs, opts?: InvokeOptions): Output<GetKMSSecretCiphertextResult>
    def get_kms_secret_ciphertext(crypto_key: Optional[str] = None,
                                  plaintext: Optional[str] = None,
                                  opts: Optional[InvokeOptions] = None) -> GetKMSSecretCiphertextResult
    def get_kms_secret_ciphertext_output(crypto_key: Optional[pulumi.Input[str]] = None,
                                  plaintext: Optional[pulumi.Input[str]] = None,
                                  opts: Optional[InvokeOptions] = None) -> Output[GetKMSSecretCiphertextResult]
    func GetKMSSecretCiphertext(ctx *Context, args *GetKMSSecretCiphertextArgs, opts ...InvokeOption) (*GetKMSSecretCiphertextResult, error)
    func GetKMSSecretCiphertextOutput(ctx *Context, args *GetKMSSecretCiphertextOutputArgs, opts ...InvokeOption) GetKMSSecretCiphertextResultOutput

    > Note: This function is named GetKMSSecretCiphertext in the Go SDK.

    public static class GetKMSSecretCiphertext 
    {
        public static Task<GetKMSSecretCiphertextResult> InvokeAsync(GetKMSSecretCiphertextArgs args, InvokeOptions? opts = null)
        public static Output<GetKMSSecretCiphertextResult> Invoke(GetKMSSecretCiphertextInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetKMSSecretCiphertextResult> getKMSSecretCiphertext(GetKMSSecretCiphertextArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: gcp:kms/getKMSSecretCiphertext:getKMSSecretCiphertext
      arguments:
        # arguments dictionary

    The following arguments are supported:

    CryptoKey string
    The id of the CryptoKey that will be used to encrypt the provided plaintext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.
    Plaintext string
    The plaintext to be encrypted
    CryptoKey string
    The id of the CryptoKey that will be used to encrypt the provided plaintext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.
    Plaintext string
    The plaintext to be encrypted
    cryptoKey String
    The id of the CryptoKey that will be used to encrypt the provided plaintext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.
    plaintext String
    The plaintext to be encrypted
    cryptoKey string
    The id of the CryptoKey that will be used to encrypt the provided plaintext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.
    plaintext string
    The plaintext to be encrypted
    crypto_key str
    The id of the CryptoKey that will be used to encrypt the provided plaintext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.
    plaintext str
    The plaintext to be encrypted
    cryptoKey String
    The id of the CryptoKey that will be used to encrypt the provided plaintext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.
    plaintext String
    The plaintext to be encrypted

    getKMSSecretCiphertext Result

    The following output properties are available:

    Ciphertext string
    Contains the result of encrypting the provided plaintext, encoded in base64.
    CryptoKey string
    Id string
    The provider-assigned unique ID for this managed resource.
    Plaintext string
    Ciphertext string
    Contains the result of encrypting the provided plaintext, encoded in base64.
    CryptoKey string
    Id string
    The provider-assigned unique ID for this managed resource.
    Plaintext string
    ciphertext String
    Contains the result of encrypting the provided plaintext, encoded in base64.
    cryptoKey String
    id String
    The provider-assigned unique ID for this managed resource.
    plaintext String
    ciphertext string
    Contains the result of encrypting the provided plaintext, encoded in base64.
    cryptoKey string
    id string
    The provider-assigned unique ID for this managed resource.
    plaintext string
    ciphertext str
    Contains the result of encrypting the provided plaintext, encoded in base64.
    crypto_key str
    id str
    The provider-assigned unique ID for this managed resource.
    plaintext str
    ciphertext String
    Contains the result of encrypting the provided plaintext, encoded in base64.
    cryptoKey String
    id String
    The provider-assigned unique ID for this managed resource.
    plaintext String

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi