Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow ESC to grant access to secretes provider key without running pulumi env run #458

Open
pierskarsenbarg opened this issue Sep 26, 2024 · 0 comments
Open

Allow ESC to grant access to secretes provider key without running pulumi env run #458

pierskarsenbarg opened this issue Sep 26, 2024 · 0 comments
Labels
kind/enhancement Improvements or new features
Milestone
0.112

Comments

@pierskarsenbarg
Copy link
Member

Pulumi allows users to bring their own encryption key as a secret provider.

It's possible to use ESC and the Pulumi CLI in non-interactive mode to grant access to the key and run an update.

So for example, with this Pulumi program:

import * as random from "@pulumi/random";

export const pw = new random.RandomPassword("pw", {
    length: 20
}).result;

and this environment:

values:
  aws:
    region: eu-west-1
    creds:
      fn::open::aws-login:
        oidc:
          duration: 1h
          roleArn: arn:aws:iam::{accountId}:role/{roleName}
          sessionName: pulumi-environments-session
  environmentVariables:
    AWS_ACCESS_KEY_ID: ${aws.creds.accessKeyId}
    AWS_SECRET_ACCESS_KEY: ${aws.creds.secretAccessKey}
    AWS_SESSION_TOKEN: ${aws.creds.sessionToken}
    AWS_REGION: ${aws.region}

I can run pulumi env run {escProjectName}/{environmentName} -- pulumi up --yes (--yes is needed because we're running Pulumi in non-interactive mode) and this will work.

It would be nice to be able to do this just with pulumi up

Affected feature
@pierskarsenbarg pierskarsenbarg added the kind/enhancement Improvements or new features label Sep 26, 2024
@pulumi-bot pulumi-bot added the needs-triage Needs attention from the triage team label Sep 26, 2024
@cleverguy25 cleverguy25 removed the needs-triage Needs attention from the triage team label Sep 26, 2024
@cleverguy25 cleverguy25 added this to the 0.112 milestone Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Improvements or new features
Projects
None yet
Milestone
0.112
Development

No branches or pull requests
3 participants
@pierskarsenbarg @cleverguy25 @pulumi-bot