How to extract sensitive output variables in terraform?

5
votes

I have a terraform config which creates an AWS IAM user with an access key, and I assign both id and secret to output variables:

...

resource "aws_iam_access_key" "brand_new_user" {
  user = aws_iam_user.brand_new_user.name
}

output "brand_new_user_id" {
  value = aws_iam_access_key.brand_new_user.id
}

output "brand_new_user_secret" {
  value     = aws_iam_access_key.brand_new_user.encrypted_secret
  sensitive = true
}

Here brand_new_user_secret is declared as sensitive, so terraform output obviously does not print it.

Is there any way to get its output value without parsing the whole state file? Trying to access it directly (terraform output brand_new_user_secret) does not work (results in an error "The output variable requested could not be found in the state file...").

Terraform version: 0.12.18

4
terraformsecret-key

4 Answers

10
votes

I had some hopes to avoid it, but so far I did not find a better way than parse terraform state:

terraform state pull | jq '.resources[] | select(.type == "aws_iam_access_key") | .instances[0].attributes'

which would result in a structure similar to:

{
  "encrypted_secret": null,
  "id": "....",
  "key_fingerprint": null,
  "pgp_key": null,
  "secret": "....",
  "ses_smtp_password": "....",
  "ses_smtp_password_v4": null,
  "status": "Active",
  "user": "...."
}
2
votes

To see the sensitive value interactively, i.e. for the purposes of analyzing/debugging the state, you can use the Terraform's console command and nonsensitive() function:

$ terraform console

> nonsensitive(aws_iam_access_key.brand_new_user.encrypted_secret)

You may need to use other function to decoding/manipulate the value before printing it.

1
votes

I haven't tried it, but the docs seem to suggest that if you want to output encrypted_secret you must supply a pgp_key to the aws_iam_access_key resource:

  • pgp_key - (Optional) Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

  • encrypted_secret - The encrypted secret, base64 encoded, if pgp_key was specified. ~> NOTE: The encrypted secret may be decrypted using the command line, for example: terraform output encrypted_secret | base64 --decode | keybase pgp decrypt.

https://www.terraform.io/docs/providers/aws/r/iam_access_key.html

1
votes

I'm using a hacky workaround here like this...

resource "aws_iam_access_key" "brand_new_user" {
  user = aws_iam_user.brand_new_user.name
}

output "brand_new_user_id" {
  value = aws_iam_access_key.brand_new_user.id
}

data "template_file" "secret" {
  template = aws_iam_access_key.brand_new_user.encrypted_secret
}

output "brand_new_user_secret" {
  value     = data.template_file.secret.rendered
}