Working with Secrets
All resource input and output values are recorded as state and are stored in Pulumi Cloud, a file, or a pluggable provider that you choose. These raw values are usually just server names, configuration settings, and so on. In some cases, however, these values contain sensitive data, such as database passwords or service tokens.
Pulumi Cloud always transmits and stores entire state files securely; however, Pulumi also supports encrypting specific values as “secrets” for extra protection. Encryption ensures that these values never appear as plain-text in your state file. By default, the encryption method uses automatic, per-stack encryption keys provided by Pulumi Cloud or you can use a provider of your own choosing instead.
To encrypt a configuration setting before runtime, use the CLI command pulumi config set
with the --secret
option. All encrypted values are stored as ciphertext in configuration and state files.
Back inside the my-first-app
project, make sure the staging
is selected and set a username and password for MongoDB:
$ pulumi stack select staging
$ pulumi config set mongoUsername admin
$ pulumi config set --secret mongoPassword S3cr37
Now try listing the configuration for the stack as before, and notice, the value for mongoPassword
is hidden:
$ pulumi config
KEY VALUE
backendPort 3000
database cart
frontendPort 3002
mongoHost mongodb://mongo:27017
mongoPassword [secret]
mongoPort 27017
mongoUsername admin
nodeEnvironment development
protocol http://
Notice the password value is also encrypted in the stack configuration file:
$ cat Pulumi.staging.yaml
config:
my-first-app:backendPort: "3000"
my-first-app:database: cart
my-first-app:frontendPort: "3002"
my-first-app:mongoHost: mongodb://mongo:27017
my-first-app:mongoPassword:
secure: AAABANASX3meu/8efB9H4oSyXrr/4GPYxfxsomW1NQbIoKU+xSY=
my-first-app:mongoPort: "27017"
my-first-app:mongoUsername: admin
my-first-app:nodeEnvironment: development
my-first-app:protocol: http://
Secrets can be accessed in code using secret-specific helper functions. Modify the code in index.js
index.ts
__main__.py
main.go
Program.cs
Program.fs
Program.vb
App.java
Pulumi.yaml
my-first-app
to add the following lines:
const config = new pulumi.Config();
// ...
const mongoUsername = config.require("mongoUsername");
const mongoPassword = config.requireSecret("mongoPassword");
config = pulumi.Config()
#...
mongo_username = config.require("mongoUsername")
mongo_password = config.require_secret("mongoPassword")
We need to make a few changes to use this new username and password. First,
let’s go ahead and make sure when our mongo
container is created, it has the
correct username and password. Update the container definition to use the envs
input property to set environment variables for the database username and password:
const mongoContainer = new docker.Container("mongoContainer", {
image: mongoImage.repoDigest,
name: `mongo-${stack}`,
ports: [
{
internal: mongoPort,
external: mongoPort,
},
],
networksAdvanced: [
{
name: network.name,
aliases: ["mongo"],
},
],
envs: [
`MONGO_INITDB_ROOT_USERNAME=${mongoUsername}`,
pulumi.interpolate`MONGO_INITDB_ROOT_PASSWORD=${mongoPassword}`,
],
});
Then, we need to update the backend container to use the new authentication. We need to slightly change the value of mongoHost
first:
$ pulumi config set mongoHost mongo
mongo_container = docker.Container(
"mongo_container",
image=mongo_image.repo_digest,
name=f"mongo-{stack}",
ports=[docker.ContainerPortArgs(internal=mongo_port, external=mongo_port)],
networks_advanced=[
docker.ContainerNetworksAdvancedArgs(name=network.name, aliases=["mongo"])
],
envs=[
f"MONGO_INITDB_ROOT_USERNAME={mongo_username}",
mongo_password.apply(lambda password: f"MONGO_INITDB_ROOT_PASSWORD={password}"),
],
)
Then, we need to update the backend container to use the new authentication. We need to slightly change the value of mongo_host
first:
$ pulumi config set mongoHost mongo
Then, update the backend container resource as follows:
const backendContainer = new docker.Container("backendContainer", {
name: `backend-${stack}`,
image: backend.repoDigest,
ports: [
{
internal: backendPort,
external: backendPort,
},
],
envs: [
pulumi.interpolate`DATABASE_HOST=mongodb://${mongoUsername}:${mongoPassword}@${mongoHost}:${mongoPort}`,
`DATABASE_NAME=${database}?authSource=admin`,
`NODE_ENV=${nodeEnvironment}`,
],
networksAdvanced: [
{
name: network.name,
},
],
}, { dependsOn: [ mongoContainer ]});
And finally, add a line at the end of the program to export password as a stack output:
// ...
export { mongoPassword };
backend_container = docker.Container(
"backend_container",
image=backend.repo_digest,
name=f"backend-{stack}",
ports=[docker.ContainerPortArgs(internal=backend_port, external=backend_port)],
envs=[
pulumi.Output.concat(
"DATABASE_HOST=mongodb://",
mongo_username,
":",
mongo_password,
"@",
mongo_host,
":",
f"{mongo_port}",
), # Changed!
f"DATABASE_NAME={database}?authSource=admin", # Also changed!
f"NODE_ENV={node_environment}",
],
networks_advanced=[docker.ContainerNetworksAdvancedArgs(name=network.name)],
opts=pulumi.ResourceOptions(depends_on=[mongo_container]),
)
And finally, add a line at the end of the program to export password as a stack output:
#...
pulumi.export("mongoPassword", mongo_password)
Run pulumi up
again and notice that while the mongoPassword
output has been registered, it’s hidden from view because Pulumi is now tracking it as an encrypted secret:
Outputs:
+ mongoPassword: [secret]
url : "http://localhost:3002"
To get at the underlying plain-text value, you’ll need to pass the --show-secrets
option:
$ pulumi stack output mongoPassword --show-secrets
S3cr37
$ pulumi stack output mongoPassword --show-secrets
S3cr37
To learn more about Pulumi secrets, see the secrets documentation.
Congratulations! You’ve finished the Building with Pulumi tutorial. In this tutorial, you learned all about stacks, outputs, and stack references so you can work in multiple environments. You also learned about encrypted secrets and how to use them in your programs.
Go build new things, and watch this space for more learning experiences on Pulumi!