Secret StringAsset prints plaintext value instead of [secret]

[IaroslavTitov]

What happened?

I was building a provider resource and passed in a secret StringAsset into Input. During debugging, I printed the input value in Check method, and output was plaintext. I tested with a normal secret string, and it's value gets replaced by [secret], while StringAsset's did not.

My guess is that Stringer method just needs to be created/fixed.

Unfortunately this issue lead me on a multi-hour debugging session, and wasted time. Please fix to avoid this issue for other developers.

Example

Here's my resource creation code (C#)

Pulumi.Config config = new Pulumi.Config();
    String yaml = """
        values:
          bug: found 
    """;
    var asset = Output.CreateSecret((AssetOrArchive)new StringAsset(yaml))!;
    var environ = new Pulumi.PulumiService.Environment(
        "Iaro's environment",
        new EnvironmentArgs {
            Organization = "IaroslavTitov",
            Name = config.RequireSecret("envname"),
            Yaml = asset
        }
    );

Name is of type String and Yaml is of type AssetOrArchive

On top of my Check method I inserted panic(fmt.Sprintf("check hit: %+v", req.GetNews()))
Which outputs:

panic: check hit: fields:{key:"name"  value:{struct_value:{fields:{key:"4dabf18193072939515e22adb298388d"  value:{string_value:"1b47061264138c4ac30d75fd1eb44270"}}  fields:{key:"value"  value:{string_value:"[secret]"}}}}}  fields:{key:"organization"  value:{string_value:"IaroslavTitov"}}  fields:{key:"yaml"  value:{struct_value:{fields:{key:"4dabf18193072939515e22adb298388d"  value:{string_value:"1b47061264138c4ac30d75fd1eb44270"}}  fields:{key:"value"  value:{struct_value:{fields:{key:"4dabf18193072939515e22adb298388d"  value:{string_value:"c44067f5952c0a294b673a41bacd8c17"}}  fields:{key:"hash"  value:{string_value:"545629a710533e529774645d7fd431218c1dfffb8ce083852da2c1a24a0bbf7c"}}  fields:{key:"text"  value:{string_value:"    values:\n      bug: found "}}}}}}}}

We can see that name's value got replaced, while the yaml value is visible.

Output of pulumi about

running 'dotnet build -nologo .'
Determining projects to restore...

All projects are up-to-date for restore.

PulumiDotnet -> /home/iaro/PulumiDotnet/bin/Debug/net7.0/PulumiDotnet.dll

Build succeeded.

0 Warning(s)
0 Error(s)

Time Elapsed 00:00:01.09

'dotnet build -nologo .' completed successfully
CLI
Version 3.116.1
Go Version go1.22.3
Go Compiler gc

Plugins
KIND NAME VERSION
resource aws 6.36.0
language dotnet unknown
resource pulumiservice 0.20.2-alpha.1715802422+69a85eb8
resource random 4.16.1

Host
OS ubuntu
Version 22.04
Arch x86_64

This project is written in dotnet: executable='/usr/bin/dotnet' version='8.0.105'

Current Stack: IaroslavTitov/PulumiDotnet/SdkTest4

Found no resources associated with SdkTest4

Found no pending operations associated with SdkTest4

Backend
Name https://api.iaro.pulumi-dev.io
URL https://app.iaro.pulumi-dev.io/IaroslavTitov
User IaroslavTitov
Organizations IaroslavTitov, subtest, service-provider-test-org
Token type personal

Dependencies:
NAME VERSION
Pulumi 3.63.1
Pulumi.Aws 6.36.0
Pulumi.PulumiService 0.20.2-alpha.1715802422
Pulumi.Random 4.16.1

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[justinvp]

This behavior is actually by design. Any config values that are saved as a secret (via pulumi config set --secret) are added to a filter that replaces the value with [secret] when outputted to stdout or stderr. However, any values inside a program that are wrapped as a secret Output.CreateSecret at runtime do not participate in this stdout/stderr filtering, because they aren't known up-front before the program starts running like config is.