Skip to content

Functions return secret values as plain #1051

New issue
New issue
Open
#2887
Open
Functions return secret values as plain#1051
#2887
Assignees
VenelinMartinov
Labels
impact/securitykind/bugSome behavior is incorrect or out of spec
@t0yv0

Description

@t0yv0
t0yv0
opened on Apr 28, 2023

What happened?

Invoking a function that has output properties marked as sensitive returns plain values to Pulumi program, bypassing the secret bit propagation functionality of Output<T>. If the user later uses this data in a way that's recorded in the state file, such as using it as an input to the Resource, it can compromise safety by exposing the sensitive data in plaintext in the statefile.

Blocker: pulumi/pulumi#12710

Currently cannot be implemented in the bridge as updating providers to the bridge version that supports this would break user programs. Some assistance is needed from the engine to dis-intermediate.

Expected Behavior

Sensitive data is protected and encrypted if it ends up in the state file.

Steps to reproduce

Use https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getrandompassword/ and store the results in the statefile.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const test = aws.secretsmanager.getRandomPasswordOutput({
    excludeNumbers: true,
    passwordLength: 50,
});

export const pw = test.apply(x => x.randomPassword);

Note that the password is NOT [secret] in the stack output.

$ pulumi stack output                                                                                                                                              ~/tmp/2023/04/aws-Current stack outputs (1):
    OUTPUT  VALUE
    pw      .UDP*(N?(L|?C&\pjJ\LKLpjC!`q%o>vEUoYl],ee]~Be<!SXy

Output of pulumi about

CLI          
Version      3.64.0
Go Version   go1.20.3
Go Compiler  gc

Plugins
NAME    VERSION
aws     5.38.0
awsx    1.0.2
docker  3.6.1
nodejs  unknown

Host     
OS       darwin
Version  13.1
Arch     x86_64

This project is written in nodejs: executable='/Users/t0yv0/.nix-profile/bin/node' version='v18.12.1'

Current Stack: t0yv0/aws-secret-leak/dev

TYPE                  URN
pulumi:pulumi:Stack   urn:pulumi:dev::aws-secret-leak::pulumi:pulumi:Stack::aws-secret-leak-dev
pulumi:providers:aws  urn:pulumi:dev::aws-secret-leak::pulumi:providers:aws::default_5_38_0


Found no pending operations associated with dev

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/t0yv0
User           t0yv0
Organizations  t0yv0, pulumi

Dependencies:
NAME            VERSION
@types/node     16.18.25
@pulumi/aws     5.38.0
@pulumi/awsx    1.0.2
@pulumi/pulumi  3.65.1

Pulumi locates its logs in /var/folders/gk/cchgxh512m72f_dmkcc3d09h0000gp/T/ by default

Additional context

Plugin Framework version (./pf Go module) started by doing this right but had to manually remove secrets due to the blocker in the engine. Reminder to remove those lines when this is ready to go.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Metadata

Metadata

Assignees

Labels

impact/securitykind/bugSome behavior is incorrect or out of spec

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions