Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Functions return secret values as plain #1051

Open
t0yv0 opened this issue Apr 28, 2023 · 4 comments · May be fixed by #2887
Open

Functions return secret values as plain #1051

t0yv0 opened this issue Apr 28, 2023 · 4 comments · May be fixed by #2887
Assignees
@VenelinMartinov
Labels
impact/security kind/bug Some behavior is incorrect or out of spec

Comments

@t0yv0
Copy link
Member

t0yv0 commented Apr 28, 2023
edited
Loading

What happened?

Invoking a function that has output properties marked as sensitive returns plain values to Pulumi program, bypassing the secret bit propagation functionality of Output<T>. If the user later uses this data in a way that's recorded in the state file, such as using it as an input to the Resource, it can compromise safety by exposing the sensitive data in plaintext in the statefile.

Blocker: pulumi/pulumi#12710

Currently cannot be implemented in the bridge as updating providers to the bridge version that supports this would break user programs. Some assistance is needed from the engine to dis-intermediate.

Expected Behavior

Sensitive data is protected and encrypted if it ends up in the state file.

Steps to reproduce

Use https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getrandompassword/ and store the results in the statefile.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const test = aws.secretsmanager.getRandomPasswordOutput({
    excludeNumbers: true,
    passwordLength: 50,
});

export const pw = test.apply(x => x.randomPassword);

Note that the password is NOT [secret] in the stack output.

$ pulumi stack output                                                                                                                                              ~/tmp/2023/04/aws-Current stack outputs (1):
    OUTPUT  VALUE
    pw      .UDP*(N?(L|?C&\pjJ\LKLpjC!`q%o>vEUoYl],ee]~Be<!SXy

Output of pulumi about

CLI          
Version      3.64.0
Go Version   go1.20.3
Go Compiler  gc

Plugins
NAME    VERSION
aws     5.38.0
awsx    1.0.2
docker  3.6.1
nodejs  unknown

Host     
OS       darwin
Version  13.1
Arch     x86_64

This project is written in nodejs: executable='/Users/t0yv0/.nix-profile/bin/node' version='v18.12.1'

Current Stack: t0yv0/aws-secret-leak/dev

TYPE                  URN
pulumi:pulumi:Stack   urn:pulumi:dev::aws-secret-leak::pulumi:pulumi:Stack::aws-secret-leak-dev
pulumi:providers:aws  urn:pulumi:dev::aws-secret-leak::pulumi:providers:aws::default_5_38_0


Found no pending operations associated with dev

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/t0yv0
User           t0yv0
Organizations  t0yv0, pulumi

Dependencies:
NAME            VERSION
@types/node     16.18.25
@pulumi/aws     5.38.0
@pulumi/awsx    1.0.2
@pulumi/pulumi  3.65.1

Pulumi locates its logs in /var/folders/gk/cchgxh512m72f_dmkcc3d09h0000gp/T/ by default

Additional context

Plugin Framework version (./pf Go module) started by doing this right but had to manually remove secrets due to the blocker in the engine. Reminder to remove those lines when this is ready to go.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@t0yv0 t0yv0 added needs-triage Needs attention from the triage team kind/bug Some behavior is incorrect or out of spec blocked The issue cannot be resolved without 3rd party action. impact/security labels Apr 28, 2023
@t0yv0 t0yv0 mentioned this issue Apr 28, 2023
Closed
@jazzyfresh jazzyfresh removed the needs-triage Needs attention from the triage team label Apr 28, 2023
@jazzyfresh
Copy link
Contributor

Added to the project board

@t0yv0 t0yv0 removed the blocked The issue cannot be resolved without 3rd party action. label Oct 18, 2024
@t0yv0
Copy link
Member Author

t0yv0 commented Oct 18, 2024

Platform features have been built 🥇

We can build this into the bridge now.

@t0yv0 t0yv0 added the needs-triage Needs attention from the triage team label Oct 24, 2024
@t0yv0
Copy link
Member Author

t0yv0 commented Oct 24, 2024

pulumi/pulumi#12710 to be precise.

@VenelinMartinov VenelinMartinov removed the needs-triage Needs attention from the triage team label Oct 28, 2024
@mjeffryes mjeffryes added this to the 0.115 milestone Jan 17, 2025
@mikhailshilkov mikhailshilkov removed this from the 0.115 milestone Jan 31, 2025
@VenelinMartinov VenelinMartinov linked a pull request Feb 5, 2025 that will close this issue
Open
@VenelinMartinov
Copy link
Contributor

VenelinMartinov commented Feb 13, 2025
edited
Loading

@t0yv0 raised a good point that we need to figure out how to roll this out without breaking existing usage.

Otherwise #2887 fixes the bridge bit of not outputting secrets in invokes.

More details here: #2887 (review)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@VenelinMartinov VenelinMartinov

Labels
impact/security kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Data source secret outputs pulumi/pulumi-terraform-bridge
5 participants
@t0yv0 @jazzyfresh @mjeffryes @mikhailshilkov @VenelinMartinov