Secret
Encrypts secret data with Google Cloud KMS and provides access to the ciphertext.
NOTE: Using this resource will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions. To get more information about SecretCiphertext, see:
Warning: All arguments including
plaintextandadditional_authenticated_datawill be stored in the raw state as plain-text.
Example Usage
Kms Secret Ciphertext Basic
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import com.pulumi.gcp.kms.SecretCiphertext;
import com.pulumi.gcp.kms.SecretCiphertextArgs;
import com.pulumi.gcp.compute.Instance;
import com.pulumi.gcp.compute.InstanceArgs;
import com.pulumi.gcp.compute.inputs.InstanceBootDiskArgs;
import com.pulumi.gcp.compute.inputs.InstanceBootDiskInitializeParamsArgs;
import com.pulumi.gcp.compute.inputs.InstanceNetworkInterfaceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var keyring = new KeyRing("keyring", KeyRingArgs.builder()
.location("global")
.build());
var cryptokey = new CryptoKey("cryptokey", CryptoKeyArgs.builder()
.keyRing(keyring.id())
.rotationPeriod("100000s")
.build());
var myPassword = new SecretCiphertext("myPassword", SecretCiphertextArgs.builder()
.cryptoKey(cryptokey.id())
.plaintext("my-secret-password")
.build());
var instance = new Instance("instance", InstanceArgs.builder()
.machineType("e2-medium")
.zone("us-central1-a")
.bootDisk(InstanceBootDiskArgs.builder()
.initializeParams(InstanceBootDiskInitializeParamsArgs.builder()
.image("debian-cloud/debian-11")
.build())
.build())
.networkInterfaces(InstanceNetworkInterfaceArgs.builder()
.network("default")
.accessConfigs()
.build())
.metadata(Map.of("password", myPassword.ciphertext()))
.build());
}
}Import
This resource does not support import.
Properties
The additional authenticated data used for integrity checks during encryption and decryption. Note: This property is sensitive and will not be displayed in the plan.
Contains the result of encrypting the provided plaintext, encoded in base64.