The Output of `get_secret_output` is not marked as a secret

[SharpEdgeMarshall]

What happened?

Calling get_secret_output returns an Output that is not marked as secret and is shown in the preview if passed to other resources.

Example

Code:

credentials_data = pulumi_vault.generic.get_secret_output(path=f"rabbitmq/creds/my-role").data
provider = rabbitmq.Provider(
            "rabbitmq-provider",
            username=credentials_data.apply(lambda data: data["username"]),
            password=credentials_data.apply(lambda data: data["password"]),
        )

Preview diff:

+ pulumi:providers:rabbitmq: (create)
    [urn=URN]
    endpoint: [secret]
    password: "CLEAR_TEXT_PASSWORD"
    username: "CLEAR_TEXT_USERNAME"
    version : "3.3.1"

Workaround:

credentials_data = pulumi_vault.generic.get_secret_output(path=f"rabbitmq/creds/my-role").data
provider = rabbitmq.Provider(
            "rabbitmq-provider",
            username=pulumi.Output.secret(credentials_data.apply(lambda data: data["username"])),
            password=pulumi.Output.secret(credentials_data.apply(lambda data: data["password"])),
        )

Output of pulumi about

CLI
Version 3.106.0
Go Version go1.22.0
Go Compiler gc

Plugins
python unknown
rabbitmq 3.3.1
vault 5.20.0

Host
OS darwin
Version 14.3.1
Arch arm64

This project is written in python: executable='/Users/my-user/.pyenv/shims/python3' version='3.9.18'

Dependencies:
NAME VERSION
black 22.12.0
flake8 3.9.2
isort 5.12.0
mypy 0.910
pip 23.3.1
pulumi_rabbitmq 3.3.1
pulumi_vault 5.20.0
setuptools 69.0.2

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[iwahbe]

Hey @SharpEdgeMarshall. Thanks for bringing this to our attention.

---

The bridge correctly marks these function outputs as secret in the schema:

https://github.com/pulumi/pulumi-vault/blob/23d71ff5ce3685154d99cbed959e8a92cef57e82/provider/cmd/pulumi-resource-vault/schema.json#L31069-L31082

We see this take effect for the generic.Secret resource:

pulumi-vault/sdk/python/pulumi_vault/generic/secret.py

Line 357 in 23d71ff

secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["data", "dataJson"])

I don't see any similar code to pass secrets to resource options. I'll open an issue in pulumi/pulumi. (issue created)

In the mean time, you can call pulumi.Output.secret to convert non-secret outputs to secret values:

credentials_data = pulumi_vault.generic.get_secret_output(path=f"rabbitmq/creds/my-role").data
provider = rabbitmq.Provider(
            "rabbitmq-provider",
            username=pulumi.Output.secret(credentials_data.apply(lambda data: data["username"])),
            password=pulumi.Output.secret(credentials_data.apply(lambda data: data["password"])),
        )

[SharpEdgeMarshall]

Thank you @iwahbe for the answer, that's exactly what we ended up doing I simply forgot to add it to the issue. 👍

[github-actions]

Unfortunately, it looks like this issue hasn't seen any updates in a while. If you're still experiencing this issue, could you leave a quick comment to let us know so we can prioritize it?