Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack status output is leaking secrets. #204

Closed
liamawhite opened this issue Sep 30, 2021 · 3 comments · Fixed by #216
Closed

Stack status output is leaking secrets. #204

liamawhite opened this issue Sep 30, 2021 · 3 comments · Fixed by #216
Assignees
@lblackstone
Labels
impact/security kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Milestone
0.63

Comments

@liamawhite
Copy link
Contributor

Hello!

  • Vote on this issue by adding a 👍 reaction
  • To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

If I run pulumi stack output the secrets are redacted. However, they are still in clear text in the stack output status.

Steps to reproduce

My stack config is:

apiVersion: pulumi.com/v1alpha1
kind: Stack
...
spec:
  backend: s3://cloud-pulumi-state
  branch: refs/heads/master
...
  projectRepo: [email protected]:tetrateio/tetrate.git
  repoDir: cloud/projects/operations/storage/aws
  secretsProvider: <REDACTED>
  stack: operations.storage.aws
  useLocalStackOnly: true
@liamawhite liamawhite added the kind/bug Some behavior is incorrect or out of spec label Sep 30, 2021
@viveklak viveklak added the ga-blocker Blocks 1.0 GA label Oct 1, 2021
@viveklak
Copy link
Contributor

viveklak commented Oct 3, 2021

I added a test in #206 to replicate the issue but it seems to behave correctly. Wonder what I am not capturing about your scenario there?

@mikhailshilkov mikhailshilkov added awaiting-feedback Blocked on input from the author and removed ga-blocker Blocks 1.0 GA labels Oct 5, 2021
@viveklak
Copy link
Contributor

viveklak commented Oct 5, 2021
edited
Loading

The specific issue seems to stem from the stack exporting a nested object with mixed secret/non-secret items, e.g.:

elasticsearch:
      endpoint: not-secret
      kibana:
        clusterId: not-secret
        endpoint: not-secret
        port: not-secret
      password: SECRET
      port: not-secret
      username: SECRET

Currently the CLI seems to mark the individual items as secrets while automation api only examines the top level object's secret annotation thus elasticsearch is seen to have no secret values, resulting in the nested secrets being leaked.

@viveklak
Copy link
Contributor

viveklak commented Oct 5, 2021

One workaround is to not emit secrets in a nested manner and essentially mark the object as a secret: pulumi.secret(elasticsearch)

@mikhailshilkov mikhailshilkov added this to the 0.63 milestone Oct 6, 2021
@viveklak viveklak mentioned this issue Oct 7, 2021
Closed
@lblackstone lblackstone self-assigned this Oct 8, 2021
@lblackstone lblackstone removed the awaiting-feedback Blocked on input from the author label Oct 8, 2021
@lblackstone lblackstone mentioned this issue Oct 8, 2021
Merged
@pulumi-bot pulumi-bot added the resolution/fixed This issue was fixed label Oct 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lblackstone lblackstone

Labels
impact/security kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Projects
None yet
Milestone
0.63
Development

Successfully merging a pull request may close this issue.

Nested secret outputs are now masked by default pulumi/pulumi-kubernetes-operator
5 participants
@viveklak @mikhailshilkov @lblackstone @liamawhite @pulumi-bot