Docs Home
Packages
Google Cloud Classic v8.3.1 published on Wednesday, Sep 25, 2024 by Pulumi
gcp.kms.getKMSSecretCiphertext
Explore with Pulumi AI
!> Warning: This data source is deprecated. Use the gcp.kms.SecretCiphertext resource instead.
This data source allows you to encrypt data with Google Cloud KMS and use the ciphertext within your resource definitions.
For more information see the official documentation.
NOTE: Using this data source will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.
Example Usage
First, create a KMS KeyRing and CryptoKey using the resource definitions:
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const myKeyRing = new gcp.kms.KeyRing("my_key_ring", {
project: "my-project",
name: "my-key-ring",
location: "us-central1",
});
const myCryptoKey = new gcp.kms.CryptoKey("my_crypto_key", {
name: "my-crypto-key",
keyRing: myKeyRing.id,
});
import pulumi
import pulumi_gcp as gcp
my_key_ring = gcp.kms.KeyRing("my_key_ring",
project="my-project",
name="my-key-ring",
location="us-central1")
my_crypto_key = gcp.kms.CryptoKey("my_crypto_key",
name="my-crypto-key",
key_ring=my_key_ring.id)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myKeyRing, err := kms.NewKeyRing(ctx, "my_key_ring", &kms.KeyRingArgs{
Project: pulumi.String("my-project"),
Name: pulumi.String("my-key-ring"),
Location: pulumi.String("us-central1"),
})
if err != nil {
return err
}
_, err = kms.NewCryptoKey(ctx, "my_crypto_key", &kms.CryptoKeyArgs{
Name: pulumi.String("my-crypto-key"),
KeyRing: myKeyRing.ID(),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var myKeyRing = new Gcp.Kms.KeyRing("my_key_ring", new()
{
Project = "my-project",
Name = "my-key-ring",
Location = "us-central1",
});
var myCryptoKey = new Gcp.Kms.CryptoKey("my_crypto_key", new()
{
Name = "my-crypto-key",
KeyRing = myKeyRing.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myKeyRing = new KeyRing("myKeyRing", KeyRingArgs.builder()
.project("my-project")
.name("my-key-ring")
.location("us-central1")
.build());
var myCryptoKey = new CryptoKey("myCryptoKey", CryptoKeyArgs.builder()
.name("my-crypto-key")
.keyRing(myKeyRing.id())
.build());
}
}
resources:
myKeyRing:
type: gcp:kms:KeyRing
name: my_key_ring
properties:
project: my-project
name: my-key-ring
location: us-central1
myCryptoKey:
type: gcp:kms:CryptoKey
name: my_crypto_key
properties:
name: my-crypto-key
keyRing: ${myKeyRing.id}
Next, encrypt some sensitive information and use the encrypted data in your resource definitions:
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const myPassword = gcp.kms.getKMSSecretCiphertext({
cryptoKey: myCryptoKey.id,
plaintext: "my-secret-password",
});
const instance = new gcp.compute.Instance("instance", {
networkInterfaces: [{
accessConfigs: [{}],
network: "default",
}],
name: "test",
machineType: "e2-medium",
zone: "us-central1-a",
bootDisk: {
initializeParams: {
image: "debian-cloud/debian-11",
},
},
metadata: {
password: myPassword.then(myPassword => myPassword.ciphertext),
},
});
import pulumi
import pulumi_gcp as gcp
my_password = gcp.kms.get_kms_secret_ciphertext(crypto_key=my_crypto_key["id"],
plaintext="my-secret-password")
instance = gcp.compute.Instance("instance",
network_interfaces=[{
"access_configs": [{}],
"network": "default",
}],
name="test",
machine_type="e2-medium",
zone="us-central1-a",
boot_disk={
"initialize_params": {
"image": "debian-cloud/debian-11",
},
},
metadata={
"password": my_password.ciphertext,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myPassword, err := kms.GetKMSSecretCiphertext(ctx, &kms.GetKMSSecretCiphertextArgs{
CryptoKey: myCryptoKey.Id,
Plaintext: "my-secret-password",
}, nil)
if err != nil {
return err
}
_, err = compute.NewInstance(ctx, "instance", &compute.InstanceArgs{
NetworkInterfaces: compute.InstanceNetworkInterfaceArray{
&compute.InstanceNetworkInterfaceArgs{
AccessConfigs: compute.InstanceNetworkInterfaceAccessConfigArray{
nil,
},
Network: pulumi.String("default"),
},
},
Name: pulumi.String("test"),
MachineType: pulumi.String("e2-medium"),
Zone: pulumi.String("us-central1-a"),
BootDisk: &compute.InstanceBootDiskArgs{
InitializeParams: &compute.InstanceBootDiskInitializeParamsArgs{
Image: pulumi.String("debian-cloud/debian-11"),
},
},
Metadata: pulumi.StringMap{
"password": pulumi.String(myPassword.Ciphertext),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var myPassword = Gcp.Kms.GetKMSSecretCiphertext.Invoke(new()
{
CryptoKey = myCryptoKey.Id,
Plaintext = "my-secret-password",
});
var instance = new Gcp.Compute.Instance("instance", new()
{
NetworkInterfaces = new[]
{
new Gcp.Compute.Inputs.InstanceNetworkInterfaceArgs
{
AccessConfigs = new[]
{
null,
},
Network = "default",
},
},
Name = "test",
MachineType = "e2-medium",
Zone = "us-central1-a",
BootDisk = new Gcp.Compute.Inputs.InstanceBootDiskArgs
{
InitializeParams = new Gcp.Compute.Inputs.InstanceBootDiskInitializeParamsArgs
{
Image = "debian-cloud/debian-11",
},
},
Metadata =
{
{ "password", myPassword.Apply(getKMSSecretCiphertextResult => getKMSSecretCiphertextResult.Ciphertext) },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KmsFunctions;
import com.pulumi.gcp.kms.inputs.GetKMSSecretCiphertextArgs;
import com.pulumi.gcp.compute.Instance;
import com.pulumi.gcp.compute.InstanceArgs;
import com.pulumi.gcp.compute.inputs.InstanceNetworkInterfaceArgs;
import com.pulumi.gcp.compute.inputs.InstanceBootDiskArgs;
import com.pulumi.gcp.compute.inputs.InstanceBootDiskInitializeParamsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var myPassword = KmsFunctions.getKMSSecretCiphertext(GetKMSSecretCiphertextArgs.builder()
.cryptoKey(myCryptoKey.id())
.plaintext("my-secret-password")
.build());
var instance = new Instance("instance", InstanceArgs.builder()
.networkInterfaces(InstanceNetworkInterfaceArgs.builder()
.accessConfigs()
.network("default")
.build())
.name("test")
.machineType("e2-medium")
.zone("us-central1-a")
.bootDisk(InstanceBootDiskArgs.builder()
.initializeParams(InstanceBootDiskInitializeParamsArgs.builder()
.image("debian-cloud/debian-11")
.build())
.build())
.metadata(Map.of("password", myPassword.applyValue(getKMSSecretCiphertextResult -> getKMSSecretCiphertextResult.ciphertext())))
.build());
}
}
resources:
instance:
type: gcp:compute:Instance
properties:
networkInterfaces:
- accessConfigs:
- {}
network: default
name: test
machineType: e2-medium
zone: us-central1-a
bootDisk:
initializeParams:
image: debian-cloud/debian-11
metadata:
password: ${myPassword.ciphertext}
variables:
myPassword:
fn::invoke:
Function: gcp:kms:getKMSSecretCiphertext
Arguments:
cryptoKey: ${myCryptoKey.id}
plaintext: my-secret-password
The resulting instance can then access the encrypted password from its metadata and decrypt it, e.g. using the Cloud SDK):
$ curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/attributes/password \
> | base64 -d | gcloud kms decrypt \
> --project my-project \
> --location us-central1 \
> --keyring my-key-ring \
> --key my-crypto-key \
> --plaintext-file - \
> --ciphertext-file - \
my-secret-password
Using getKMSSecretCiphertext
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getKMSSecretCiphertext(args: GetKMSSecretCiphertextArgs, opts?: InvokeOptions): Promise<GetKMSSecretCiphertextResult>
function getKMSSecretCiphertextOutput(args: GetKMSSecretCiphertextOutputArgs, opts?: InvokeOptions): Output<GetKMSSecretCiphertextResult>def get_kms_secret_ciphertext(crypto_key: Optional[str] = None,
plaintext: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetKMSSecretCiphertextResult
def get_kms_secret_ciphertext_output(crypto_key: Optional[pulumi.Input[str]] = None,
plaintext: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetKMSSecretCiphertextResult]func GetKMSSecretCiphertext(ctx *Context, args *GetKMSSecretCiphertextArgs, opts ...InvokeOption) (*GetKMSSecretCiphertextResult, error)
func GetKMSSecretCiphertextOutput(ctx *Context, args *GetKMSSecretCiphertextOutputArgs, opts ...InvokeOption) GetKMSSecretCiphertextResultOutput> Note: This function is named GetKMSSecretCiphertext in the Go SDK.
public static class GetKMSSecretCiphertext
{
public static Task<GetKMSSecretCiphertextResult> InvokeAsync(GetKMSSecretCiphertextArgs args, InvokeOptions? opts = null)
public static Output<GetKMSSecretCiphertextResult> Invoke(GetKMSSecretCiphertextInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetKMSSecretCiphertextResult> getKMSSecretCiphertext(GetKMSSecretCiphertextArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: gcp:kms/getKMSSecretCiphertext:getKMSSecretCiphertext
arguments:
# arguments dictionaryThe following arguments are supported:
- crypto_
key str - The id of the CryptoKey that will be used to
encrypt the provided plaintext. This is represented by the format
{projectId}/{location}/{keyRingName}/{cryptoKeyName}. - plaintext str
- The plaintext to be encrypted
getKMSSecretCiphertext Result
The following output properties are available:
- Ciphertext string
- Contains the result of encrypting the provided plaintext, encoded in base64.
- Crypto
Key string - Id string
- The provider-assigned unique ID for this managed resource.
- Plaintext string
- Ciphertext string
- Contains the result of encrypting the provided plaintext, encoded in base64.
- Crypto
Key string - Id string
- The provider-assigned unique ID for this managed resource.
- Plaintext string
- ciphertext String
- Contains the result of encrypting the provided plaintext, encoded in base64.
- crypto
Key String - id String
- The provider-assigned unique ID for this managed resource.
- plaintext String
- ciphertext string
- Contains the result of encrypting the provided plaintext, encoded in base64.
- crypto
Key string - id string
- The provider-assigned unique ID for this managed resource.
- plaintext string
- ciphertext str
- Contains the result of encrypting the provided plaintext, encoded in base64.
- crypto_
key str - id str
- The provider-assigned unique ID for this managed resource.
- plaintext str
- ciphertext String
- Contains the result of encrypting the provided plaintext, encoded in base64.
- crypto
Key String - id String
- The provider-assigned unique ID for this managed resource.
- plaintext String
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.