From d82ce08f6a51d4225a8a9521afc2fc081afaec05 Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Wed, 30 Apr 2025 03:50:55 +0200 Subject: [PATCH] feat(pulumi): get and decrypt aws access keys or user login profiles' passwords --- knowledge base/pulumi.md | 27 +++++++++++++++++++++++++-- snippets/pulumi/commands.fish | 19 +++++++++++++++++++ 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/knowledge base/pulumi.md b/knowledge base/pulumi.md index 359122d..1e67942 100644 --- a/knowledge base/pulumi.md +++ b/knowledge base/pulumi.md @@ -151,6 +151,7 @@ pulumi update --refresh --yes -f --secrets-provider 'hashivault' # Access outputs. pulumi stack output 'vpcId' pulumi stack output 'subnetName' --show-secrets -s 'stack' +pulumi stack output 'serviceAccount' | jq -r '.accessKey.encryptedSecret' - | base64 -d | gpg -d # Import existing resources. pulumi import 'aws:ecr/pullThroughCacheRule:PullThroughCacheRule' 'resourceName' 'prefix' @@ -335,8 +336,7 @@ pulumi config set-all --path \ --plaintext 'aws:defaultTags.tags.Owner=SomeOne' \ --plaintext 'aws:defaultTags.tags.Team=SomeTeam' -# Using the same number of threads of the machine seems to give the best -# performance ratio. +# Using the same number of threads of the machine seems to give the best performance ratio. pulumi pre --parallel "$(nproc)" --diff pulumi up --parallel "$(nproc)" @@ -393,6 +393,29 @@ yq -iy '. += {"backend": {"url": "s3://myBucket/prefix"}}' 'Pulumi.yaml' # Diff the two states # TODO + + +# Get the AWS secret access key of an aws.iam.AccessKey resource +pulumi stack output 'someAccessKey' | jq -r '.encryptedSecret' - | base64 -d | gpg --decrypt +pulumi stack export \ +| jq -r ' + .deployment.resources[] + | select(.type=="aws:iam/accessKey:AccessKey" and .outputs.user=="someUserId") + | .outputs.encryptedSecret' \ +| base64 -d | gpg -d + +# Get the initial password created by an aws.iam.UserLoginProfile resource. +# If no encryption is set in the resource, it will be available in plaintext at runtime as the resource's +# 'encryptedPassword' attribute - just log it out. +# If a PGP key is set in the resource, it will be available as base64 cyphertext at runtime as the resource's +# 'encryptedPassword' attribute *and* it will also be available in the state for later reference. +pulumi stack output 'someUserLoginProfile' | jq -r '.encryptedPassword' - | base64 -d | gpg --decrypt +pulumi stack export \ +| jq -r ' + .deployment.resources[] + | select(.type=="aws:iam/userLoginProfile:UserLoginProfile" and .id=="someUserId") + | .outputs.encryptedPassword' \ +| base64 -d | gpg -d ``` ```ts diff --git a/snippets/pulumi/commands.fish b/snippets/pulumi/commands.fish index c2b0aa0..18ba646 100644 --- a/snippets/pulumi/commands.fish +++ b/snippets/pulumi/commands.fish @@ -81,6 +81,25 @@ pulumi stack export | jq -r '.deployment.resources[].provider' | grep -v 'aws::d # Get the AWS secret access key of an aws.iam.AccessKey resource pulumi stack output 'someAccessKey' | jq -r '.encryptedSecret' - | base64 -d | gpg --decrypt +pulumi stack export \ +| jq -r ' + .deployment.resources[] + | select(.type=="aws:iam/accessKey:AccessKey" and .outputs.user=="someUserId") + | .outputs.encryptedSecret' \ +| base64 -d | gpg -d + +# Get the initial password created by an aws.iam.UserLoginProfile resource. +# If no encryption is set in the resource, it will be available in plaintext at runtime as the resource's +# 'encryptedPassword' attribute - just log it out. +# If a PGP key is set in the resource, it will be available as base64 cyphertext at runtime as the resource's +# 'encryptedPassword' attribute *and* it will also be available in the state for later reference. +pulumi stack output 'someUserLoginProfile' | jq -r '.encryptedPassword' - | base64 -d | gpg --decrypt +pulumi stack export \ +| jq -r ' + .deployment.resources[] + | select(.type=="aws:iam/userLoginProfile:UserLoginProfile" and .id=="someUserId") + | .outputs.encryptedPassword' \ +| base64 -d | gpg -d # Avoid permission errors when deleting clusters with charts and stuff. PULUMI_K8S_DELETE_UNREACHABLE='true' pulumi destroy