Add note in documentation that special characters may need to be escaped when using `pulumi config set --secret`

[ahanoff]

I had password with special characters: 9#^XeshqnX$bG9vFPa@r7Ti98uo@sS, which I stored as pulumi config secret and then retrived it from config and stored as AWS SSM secret.
After comparison AWS SSM Secret value and original password don't match

Expected behavior

It should match of course

Current behavior

It doesn't match

Steps to reproduce

1. Add pulumi secret with special characters (for example 9#^XeshqnX$bG9vFPa@r7Ti98uo@sS )
2. Take that secret from config and stores it in AWS SecretsManager
3. Retrieve AWS SecretsManager secret value and compare with original

Context (Environment)

Affected feature

[t0yv0]

Could you provide a script to reproduce? I currently cannot reproduce with this Python script:

import subprocess as sp

secret = """9#^XeshqnX$bG9vFPa@r7Ti98uo@sS"""

p = sp.Popen('pulumi config set my_secret --secret', shell=True,
             stdout=sp.PIPE, stdin=sp.PIPE, stderr=sp.PIPE)

p.communicate(input=secret.encode('utf-8'))

secret2 = sp.check_output('pulumi config get my_secret', shell=True) \
            .decode('utf-8').strip()

assert secret == secret2, 'secret string does not turn around'

Note: since your string contains special characters you must be careful about escaping them correctly through your shell etc.

[ahanoff]

https://github.com/ahanoff/pulumi-secret-bug

@t0yv0 sure, please find minimal code to reproduce (I'm using nodejs with typescript). I added readme with steps that I did.

[t0yv0]

What shell do you use? What does this print?

echo "9#^XeshqnX$bG9vFPa@r7Ti98uo@sS"

In bash/zsh you need to apply escaping to certain characters like $.

[ahanoff]

echo "9#^XeshqnX$bG9vFPa@r7Ti98uo@sS"
9#^XeshqnX@r7Ti98uo@sS

damn, you are right @t0yv0

[t0yv0]

Closing, sounds like not a pulumi bug.

[emirozmen07]

What shell do you use? What does this print?

echo "9#^XeshqnX$bG9vFPa@r7Ti98uo@sS"

In bash/zsh you need to apply escaping to certain characters like $.

Maybe, can we add a warning for this, for the zsh/bash terminals?

[Frassle]

Maybe, can we add a warning for this, for the zsh/bash terminals?

How could we warn about it? By the time the pulumi process sees the text it's already been escaped by the shell. We'd have to warn on every input because potentially anything could have been escaped.

[emirozmen07]

True.

When you use single quote it prints without formatting the variables. Maybe if you use double quotes, it can be warned -if it's detectable-. Or this info could be recommended in the docs as a little note? It's not very important anyway but.

https://www.pulumi.com/docs/iac/concepts/secrets/

[Frassle]

Or this info could be recommended in the docs as a little note?

We can do that.