when use vault kubernetes, inputs.tokenReviewerJwt field in stack checkpoint json is not encrypted

[kindy]

What happened?

as title said.

Example

steps:

0. install pulumi
   • pulumi version -> v3.111.1
1. setup pulumi project
   • check Pulumi.yaml
   • check go.mod for module version
   • check main.go
2. init stack dev, with pass dev
   • config token with --secret (value k0-jwt-token)
   • pulumi config set k8s.clusters.k0.token k0-jwt-token -s dev --secret --path
   • check Pulumi.dev.yaml
3. run vault vault server -dev -dev-root-token-id="dev-root"
4. pulumi up -s dev (pass dev)
5. open .state/.pulumi/stacks/pulumi-vault-test-02/dev.json
   • k0-jwt-token is searchable

code.tar.gz

Output of pulumi about

$ pulumi about 
CLI          
Version      3.111.1
Go Version   go1.22.1
Go Compiler  gc

Plugins
NAME   VERSION
go     unknown
vault  4.6.0

Host     
OS       darwin
Version  12.6
Arch     x86_64

This project is written in go: executable='/[***]/go/bin/go' version='go version go1.22.1 darwin/amd64'

Backend        
Name           M[***]V
URL            file://.state
User           q[***]
Organizations  
Token type     personal

Dependencies:
NAME                                   VERSION
github.com/pulumi/pulumi-vault/sdk/v4  v4.6.0
github.com/pulumi/pulumi/sdk/v3        v3.52.1

Pulumi locates its logs in /var/folders/_[***]p/T/ by default
warning: Failed to get information about the current stack: No current stack

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[justinvp]

Hi @kindy, sorry for the trouble and long delay getting back to you! Thanks for your patience.

When you read the config into your program with cfg.RequireObject, the values will be in plaintext. When passing those plaintext values as inputs elsewhere, the system won't know that they are secret values.

If you use cfg.RequireSecretObject instead, the secretness would be maintained, but you'd have to access the value inside an Apply and since you're using the value in a loop to create resources, I wouldn't recommend that, since we generally don't recommend creating resources inside an Apply because it can make previews unreliable.

Instead, in this case, I'd suggest continuing to use cfg.RequireObject, but explicitly making any values secret that should be secret when passed as inputs to other resources.

For example, instead of:

TokenReviewerJwt:     pulumi.StringPtr(cfg.Token),

explicitly make it a secret:

TokenReviewerJwt:     pulumi.ToSecret(pulumi.StringPtr(cfg.Token)).(pulumi.StringPtrOutput),