pulumi-gcp-kotlin/com.pulumi.gcp.kms.kotlin/KmsFunctions/getKMSSecret

getKMSSecret

suspend fun getKMSSecret(argument: GetKMSSecretPlainArgs): GetKMSSecretResult

This data source allows you to use data encrypted with Google Cloud KMS within your resource definitions. For more information see the official documentation.

NOTE: Using this data provider will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.

Example Usage

First, create a KMS KeyRing and CryptoKey using the resource definitions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const myKeyRing = new gcp.kms.KeyRing("my_key_ring", {
    project: "my-project",
    name: "my-key-ring",
    location: "us-central1",
});
const myCryptoKey = new gcp.kms.CryptoKey("my_crypto_key", {
    name: "my-crypto-key",
    keyRing: myKeyRing.id,
});
Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
my_key_ring = gcp.kms.KeyRing("my_key_ring",
    project="my-project",
    name="my-key-ring",
    location="us-central1")
my_crypto_key = gcp.kms.CryptoKey("my_crypto_key",
    name="my-crypto-key",
    key_ring=my_key_ring.id)
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var myKeyRing = new Gcp.Kms.KeyRing("my_key_ring", new()
    {
        Project = "my-project",
        Name = "my-key-ring",
        Location = "us-central1",
    });
    var myCryptoKey = new Gcp.Kms.CryptoKey("my_crypto_key", new()
    {
        Name = "my-crypto-key",
        KeyRing = myKeyRing.Id,
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myKeyRing, err := kms.NewKeyRing(ctx, "my_key_ring", &kms.KeyRingArgs{
			Project:  pulumi.String("my-project"),
			Name:     pulumi.String("my-key-ring"),
			Location: pulumi.String("us-central1"),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKey(ctx, "my_crypto_key", &kms.CryptoKeyArgs{
			Name:    pulumi.String("my-crypto-key"),
			KeyRing: myKeyRing.ID(),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var myKeyRing = new KeyRing("myKeyRing", KeyRingArgs.builder()
            .project("my-project")
            .name("my-key-ring")
            .location("us-central1")
            .build());
        var myCryptoKey = new CryptoKey("myCryptoKey", CryptoKeyArgs.builder()
            .name("my-crypto-key")
            .keyRing(myKeyRing.id())
            .build());
    }
}
Content copied to clipboard
resources:
  myKeyRing:
    type: gcp:kms:KeyRing
    name: my_key_ring
    properties:
      project: my-project
      name: my-key-ring
      location: us-central1
  myCryptoKey:
    type: gcp:kms:CryptoKey
    name: my_crypto_key
    properties:
      name: my-crypto-key
      keyRing: ${myKeyRing.id}
Content copied to clipboard

Next, use the Cloud SDK to encrypt some sensitive information:

$ echo -n my-secret-password | gcloud kms encrypt \
> --project my-project \
> --location us-central1 \
> --keyring my-key-ring \
> --key my-crypto-key \
> --plaintext-file - \
> --ciphertext-file - \
> | base64
CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=
Content copied to clipboard

Finally, reference the encrypted ciphertext in your resource definitions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as random from "@pulumi/random";
const sqlUserPassword = gcp.kms.getKMSSecret({
    cryptoKey: myCryptoKey.id,
    ciphertext: "CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=",
});
const dbNameSuffix = new random.RandomId("db_name_suffix", {byteLength: 4});
const main = new gcp.sql.DatabaseInstance("main", {
    name: pulumi.interpolate`main-instance-${dbNameSuffix.hex}`,
    databaseVersion: "MYSQL_5_7",
    settings: {
        tier: "db-f1-micro",
    },
});
const users = new gcp.sql.User("users", {
    name: "me",
    instance: main.name,
    host: "me.com",
    password: sqlUserPassword.then(sqlUserPassword => sqlUserPassword.plaintext),
});
Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
import pulumi_random as random
sql_user_password = gcp.kms.get_kms_secret(crypto_key=my_crypto_key["id"],
    ciphertext="CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=")
db_name_suffix = random.RandomId("db_name_suffix", byte_length=4)
main = gcp.sql.DatabaseInstance("main",
    name=db_name_suffix.hex.apply(lambda hex: f"main-instance-{hex}"),
    database_version="MYSQL_5_7",
    settings={
        "tier": "db-f1-micro",
    })
users = gcp.sql.User("users",
    name="me",
    instance=main.name,
    host="me.com",
    password=sql_user_password.plaintext)
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Random = Pulumi.Random;
return await Deployment.RunAsync(() =>
{
    var sqlUserPassword = Gcp.Kms.GetKMSSecret.Invoke(new()
    {
        CryptoKey = myCryptoKey.Id,
        Ciphertext = "CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=",
    });
    var dbNameSuffix = new Random.RandomId("db_name_suffix", new()
    {
        ByteLength = 4,
    });
    var main = new Gcp.Sql.DatabaseInstance("main", new()
    {
        Name = dbNameSuffix.Hex.Apply(hex => $"main-instance-{hex}"),
        DatabaseVersion = "MYSQL_5_7",
        Settings = new Gcp.Sql.Inputs.DatabaseInstanceSettingsArgs
        {
            Tier = "db-f1-micro",
        },
    });
    var users = new Gcp.Sql.User("users", new()
    {
        Name = "me",
        Instance = main.Name,
        Host = "me.com",
        Password = sqlUserPassword.Apply(getKMSSecretResult => getKMSSecretResult.Plaintext),
    });
});
Content copied to clipboard
package main
import (
	"fmt"
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/sql"
	"github.com/pulumi/pulumi-random/sdk/v4/go/random"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sqlUserPassword, err := kms.GetKMSSecret(ctx, &kms.GetKMSSecretArgs{
			CryptoKey:  myCryptoKey.Id,
			Ciphertext: "CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=",
		}, nil)
		if err != nil {
			return err
		}
		dbNameSuffix, err := random.NewRandomId(ctx, "db_name_suffix", &random.RandomIdArgs{
			ByteLength: pulumi.Int(4),
		})
		if err != nil {
			return err
		}
		main, err := sql.NewDatabaseInstance(ctx, "main", &sql.DatabaseInstanceArgs{
			Name: dbNameSuffix.Hex.ApplyT(func(hex string) (string, error) {
				return fmt.Sprintf("main-instance-%v", hex), nil
			}).(pulumi.StringOutput),
			DatabaseVersion: pulumi.String("MYSQL_5_7"),
			Settings: &sql.DatabaseInstanceSettingsArgs{
				Tier: pulumi.String("db-f1-micro"),
			},
		})
		if err != nil {
			return err
		}
		_, err = sql.NewUser(ctx, "users", &sql.UserArgs{
			Name:     pulumi.String("me"),
			Instance: main.Name,
			Host:     pulumi.String("me.com"),
			Password: pulumi.String(sqlUserPassword.Plaintext),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KmsFunctions;
import com.pulumi.gcp.kms.inputs.GetKMSSecretArgs;
import com.pulumi.random.RandomId;
import com.pulumi.random.RandomIdArgs;
import com.pulumi.gcp.sql.DatabaseInstance;
import com.pulumi.gcp.sql.DatabaseInstanceArgs;
import com.pulumi.gcp.sql.inputs.DatabaseInstanceSettingsArgs;
import com.pulumi.gcp.sql.User;
import com.pulumi.gcp.sql.UserArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var sqlUserPassword = KmsFunctions.getKMSSecret(GetKMSSecretArgs.builder()
            .cryptoKey(myCryptoKey.id())
            .ciphertext("CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=")
            .build());
        var dbNameSuffix = new RandomId("dbNameSuffix", RandomIdArgs.builder()
            .byteLength(4)
            .build());
        var main = new DatabaseInstance("main", DatabaseInstanceArgs.builder()
            .name(dbNameSuffix.hex().applyValue(hex -> String.format("main-instance-%s", hex)))
            .databaseVersion("MYSQL_5_7")
            .settings(DatabaseInstanceSettingsArgs.builder()
                .tier("db-f1-micro")
                .build())
            .build());
        var users = new User("users", UserArgs.builder()
            .name("me")
            .instance(main.name())
            .host("me.com")
            .password(sqlUserPassword.applyValue(getKMSSecretResult -> getKMSSecretResult.plaintext()))
            .build());
    }
}
Content copied to clipboard
resources:
  dbNameSuffix:
    type: random:RandomId
    name: db_name_suffix
    properties:
      byteLength: 4
  main:
    type: gcp:sql:DatabaseInstance
    properties:
      name: main-instance-${dbNameSuffix.hex}
      databaseVersion: MYSQL_5_7
      settings:
        tier: db-f1-micro
  users:
    type: gcp:sql:User
    properties:
      name: me
      instance: ${main.name}
      host: me.com
      password: ${sqlUserPassword.plaintext}
variables:
  sqlUserPassword:
    fn::invoke:
      Function: gcp:kms:getKMSSecret
      Arguments:
        cryptoKey: ${myCryptoKey.id}
        ciphertext: CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=
Content copied to clipboard

This will result in a Cloud SQL user being created with password my-secret-password.

Return

A collection of values returned by getKMSSecret.

Parameters

argument

A collection of arguments for invoking getKMSSecret.

suspend fun getKMSSecret(additionalAuthenticatedData: String? = null, ciphertext: String, cryptoKey: String): GetKMSSecretResult

Return

A collection of values returned by getKMSSecret.

Parameters

additionalAuthenticatedData

The additional authenticated data used for integrity checks during encryption and decryption.

ciphertext

The ciphertext to be decrypted, encoded in base64

cryptoKey

The id of the CryptoKey that will be used to decrypt the provided ciphertext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.

See also

.

suspend fun getKMSSecret(argument: suspend GetKMSSecretPlainArgsBuilder.() -> Unit): GetKMSSecretResult

Return

A collection of values returned by getKMSSecret.

Parameters

argument

Builder for com.pulumi.gcp.kms.kotlin.inputs.GetKMSSecretPlainArgs.

See also

.