Reputation: 21
Prevent secrets from ending up in the Pulumi statefile
I am using Pulumi to manage some resources in Snowflake. This requires providing Snowflake credentials to Pulumi, so that Pulumi can authenticate with Snowflake act on my behalf.
I am using the DIY backend and I don't use Pulumi cloud.
I provide those like pulumi config set snowflake:privateKey. Then the private key ends up in my Pulumi.dev.yaml file, encrypted, which is reasonable.
However, the password also ends up in the state file, where I see:
{
"urn": "urn:pulumi:dev::bootstrap::pulumi:providers:snowflake::default_1_1_2",
"custom": true,
"id": "[REDACTED]",
"type": "pulumi:providers:snowflake",
"inputs": {
"__internal": {},
"accountName": "[REDACTED]",
"authenticator": "SNOWFLAKE_JWT",
"organizationName": "[REDACTED]",
"privateKey": {
"[REDACTED]",
"ciphertext": "[REDACTED]"
},
"role": "ACCOUNTADMIN",
"user": "[REDACTED]",
"version": "1.1.2"
},
It looks like the private key is saved to the statefile. I can see some marginal utility for this in some cases - it is technically an input to the Pulumi resource, thus by saving the private key, Pulumi can detect when a different private key is used. This marginal utility is useless to me, I don't care when/if the private key changes.
- Is there a benefit to saving the private key in the state file, other than what I mentioned? Do other IaC platforms like Terraform also do this?
- Is there a way to prevent Pulumi from saving the private key in the state file?
Upvotes: 0
Views: 12
Answers (0)
Related Questions
- Download Pulumi Packages from mirror
- How to get activity details for past updates on Pulumi, using Pulumi CLI?
- Pulumi Automation API doesn't run the Pulumi CLI?
- Using the Pulumi Automation API without the Pulumi Service
- explanation of Service.get from pulumi
- How to prevent Pulumi cli from shuffling configurations in stack settings file
- Pulumi ensure dependency order
- Pulumi EKS cluster: @pulumi/eks vs. @pulumi/aws
- How to prevent pulumi from stripping newlines from output?