Pulumi allows you to encrypt any secrets stored in the backend.
This example shows how this might be done for Hashicorp Vault. It creates an S3 bucket with a single file that has a "secret" value.
To use this example, perform the following steps. This examples assumes you have a working vault server with the transit secret backend enabled.
You should ensure you have an environment variable, VAULT_SERVER_URL
set to the address of your vault server:
export VAULT_SERVER_URL="https://vault.service.consul:8201
You should also have a Vault token with a policy that is adequately scoped to allow access to the transit backend.
Once you do, set the VAULT_SERVER_TOKEN
environment variable:
export VAULT_SERVER_TOKEN=<token>
We first need to create a key in the transit backend. Assuming it's been enabled at /transit
we can create the key like so:
vault write -f transit/keys/my-stack
Initialize your stack with Pulumi and ensure you set the --secrets-provider
flag:
# Using your alias
pulumi stack init $PULUMI_ORG_NAME/$PULUMI_STACK_NAME --secrets-provider="hashivault:https://my-stack"
If everything has worked as expected, you should be able to verify in your stack settings that the secretsprovider is set:
cat Pulumi.$PULUMI_STACK_NAME.yaml
secretsprovider: hashivault:https://my-stack
encryptedkey: dmF1bHQ6djE6TlhML000T2ZCcWVTSjRmeFhiOVpLeWNmUjErK1k0Wnh6QVhTQm56TXBvZ0dyL2RCQUdEcUFBTHdDUHNIMW8yQkxrVVJNdlNDeDdtbUd2WG0=
pulumi config set aws:region us-west-2
# Set the bucketname & the secret contents
pulumi config set bucketName pulumi-lbriggs
pulumi config set --secret secretValue "correct-horse-battery-stable"
# This will create the stack without prompting, be aware!
pulumi up --yes
Previewing update (vault-kms):
Type Name Plan
+ pulumi:pulumi:Stack pulumi-vault-kms-vault-kms create
+ ├─ aws:s3:Bucket bucket create
+ └─ aws:s3:BucketObject secret create
Resources:
+ 3 to create
Updating (aws-kms):
Type Name Status
+ pulumi:pulumi:Stack pulumi-vault-kms-vault-kms created
+ ├─ aws:s3:Bucket bucket created
+ └─ aws:s3:BucketObject secret created
Outputs:
bucketId: "pulumi-lbriggs"
secretId: "[secret]"
Resources:
+ 3 created
Duration: 8s
Permalink: <redacted>
You'll notice the secret value is also omitted from the output!
A quick way to verify if the encryption is using the Vault key is to remove your VAULT_SERVER_TOKEN
environment variable setting:
unset
pulumi up --yes
error: getting secrets manager: secrets (code=Unknown): Error making API request.
URL: PUT http:https://vault.service.consul:8200/v1/transit/decrypt/my-stack
Code: 400. Errors:
* missing client token