Secret handling
What is secret
| Value | Type |
|---|---|
| Netskope bearer token | Tenant API credential for static-token auth |
| OAuth2 client secret | Secret used to fetch short-lived bearer tokens |
| Registration tokens | Short-lived publisher enrollment tokens |
| Rendered cloud-init | Contains registration tokens |
publishers output |
Secret output because it includes registration tokens |
Store static auth as a Pulumi secret
1 | pulumi config set netskope:tenantUrl https://tenant.goskope.com |
Read it in code and pass it to the component:
1 | const config = new pulumi.Config("netskope"); |
apiToken remains accepted as a backwards-compatible alias, but new
programs should use bearerToken.
Store OAuth2 credentials as Pulumi secrets
1 | pulumi config set netskope:tenantUrl https://tenant.goskope.com |
1 | authMode: "oauth2", |
Use a Pulumi backend with encrypted state and scoped access. Secrets are
encrypted in state, but anyone with stack access and the secrets provider
can decrypt them.
Registration tokens
Normally do not handle registration tokens directly. They flow from the
Netskope API to Pulumi state, then into cloud-init or Kubernetes Secrets,
and are consumed by the publisher at first boot.
When passing registrations manually, mark the token secret:
1 | registrations: pulumi.secret({ |
Rotating credentials
After rotating the upstream Netskope bearer token or OAuth2 client secret:
- Update the Pulumi stack secret.
- Run
pulumi preview. - Apply only if the preview matches the infrastructure change you
expected.
The publisher VMs do not use tenant API credentials after enrollment.
For per-publisher token rotation, see
Rotate the registration token.