pulumi · pgavlin · Nov 8, 2023 · Nov 8, 2023
diff --git a/cmd/esc/cli/env_open.go b/cmd/esc/cli/env_open.go
@@ -115,7 +115,7 @@ func (env *envCommand) renderValue(
 		enc.SetIndent("", "  ")
 		return enc.Encode(val)
 	case "dotenv":
-		_, environ, _, err := env.prepareEnvironment(e, PrepareOptions{Pretend: pretend, Quote: true})
+		_, environ, _, err := env.prepareEnvironment(e, PrepareOptions{Pretend: pretend, Quote: true, Redact: !showSecrets})
 		if err != nil {
 			return err
 		}
@@ -124,7 +124,7 @@ func (env *envCommand) renderValue(
 		}
 		return nil
 	case "shell":
-		_, environ, _, err := env.prepareEnvironment(e, PrepareOptions{Pretend: pretend, Quote: true})
+		_, environ, _, err := env.prepareEnvironment(e, PrepareOptions{Pretend: pretend, Quote: true, Redact: !showSecrets})
 		if err != nil {
 			return err
 		}

diff --git a/cmd/esc/cli/prepare.go b/cmd/esc/cli/prepare.go
@@ -24,7 +24,7 @@ import (
 	"golang.org/x/exp/maps"
 )
 
-func getEnvironmentVariables(env *esc.Environment, quote bool) (environ, secrets []string) {
+func getEnvironmentVariables(env *esc.Environment, quote, redact bool) (environ, secrets []string) {
 	vars := env.GetEnvironmentVariables()
 	keys := maps.Keys(vars)
 	sort.Strings(keys)
@@ -35,6 +35,9 @@ func getEnvironmentVariables(env *esc.Environment, quote bool) (environ, secrets
 
 		if v.Secret {
 			secrets = append(secrets, s)
+			if redact {
+				s = "[secret]"
+			}
 		}
 		if quote {
 			s = strconv.Quote(s)
@@ -101,6 +104,7 @@ func createTemporaryFiles(e *esc.Environment, opts PrepareOptions) (paths, envir
 type PrepareOptions struct {
 	Quote   bool // True to quote environment variable values
 	Pretend bool // True to skip actually writing temporary files
+	Redact  bool // True to redact secrets. Ignored unless Pretend is set.
 
 	fs escFS // The filesystem for temporary files
 }
@@ -115,7 +119,7 @@ func PrepareEnvironment(e *esc.Environment, opts *PrepareOptions) (files, enviro
 		opts.fs = newFS()
 	}
 
-	envVars, envSecrets := getEnvironmentVariables(e, opts.Quote)
+	envVars, envSecrets := getEnvironmentVariables(e, opts.Quote, opts.Redact)
 
 	filePaths, fileVars, fileSecrets, err := createTemporaryFiles(e, *opts)
 	if err != nil {

diff --git a/cmd/esc/cli/testdata/env-get-all-value-dotenv.yaml b/cmd/esc/cli/testdata/env-get-all-value-dotenv.yaml
@@ -1,4 +1,6 @@
-run: esc env get test --value=dotenv
+run: |
+  esc env get test --value=dotenv
+  esc env get test --value=dotenv --show-secrets
 environments:
   test-user/a: {}
   test-user/b: {}
@@ -16,12 +18,16 @@ environments:
       object: {hello: world}
       open:
         fn::open::test: echo
+      secret:
+        fn::secret:
+          ciphertext: ZXNjeAAAAAHz5ePy5fTB4+Pl8/PL5fnJxPD7
       environmentVariables:
         NULLV: null
         BOOLEAN: true
         NUMBER: 3.14
         STRING: ${string}
         OBJECT: {'fn::toJSON': "${object}"}
+        SECRET: ${secret}
       files:
         FILE: ${string}
 stdout: |
@@ -30,7 +36,17 @@ stdout: |
   NULLV=""
   NUMBER="3.14"
   OBJECT="{\"hello\":\"world\"}"
+  SECRET="[secret]"
+  STRING="esc"
+  FILE="[unknown]"
+  > esc env get test --value=dotenv --show-secrets
+  BOOLEAN="true"
+  NULLV=""
+  NUMBER="3.14"
+  OBJECT="{\"hello\":\"world\"}"
+  SECRET="secretAccessKey"
   STRING="esc"
   FILE="[unknown]"
 stderr: |
   > esc env get test --value=dotenv
+  > esc env get test --value=dotenv --show-secrets
diff --git a/cmd/esc/cli/testdata/env-get-all-value-shell.yaml b/cmd/esc/cli/testdata/env-get-all-value-shell.yaml
@@ -1,4 +1,6 @@
-run: esc env get test --value=shell
+run: |
+  esc env get test --value=shell
+  esc env get test --value=shell --show-secrets
 environments:
   test-user/a: {}
   test-user/b: {}
@@ -16,12 +18,16 @@ environments:
       object: {hello: world}
       open:
         fn::open::test: echo
+      secret:
+        fn::secret:
+          ciphertext: ZXNjeAAAAAHz5ePy5fTB4+Pl8/PL5fnJxPD7
       environmentVariables:
         NULLV: null
         BOOLEAN: true
         NUMBER: 3.14
         STRING: ${string}
         OBJECT: {'fn::toJSON': "${object}"}
+        SECRET: ${secret}
       files:
         FILE: ${string}
 stdout: |
@@ -30,7 +36,17 @@ stdout: |
   export NULLV=""
   export NUMBER="3.14"
   export OBJECT="{\"hello\":\"world\"}"
+  export SECRET="[secret]"
+  export STRING="esc"
+  export FILE="[unknown]"
+  > esc env get test --value=shell --show-secrets
+  export BOOLEAN="true"
+  export NULLV=""
+  export NUMBER="3.14"
+  export OBJECT="{\"hello\":\"world\"}"
+  export SECRET="secretAccessKey"
   export STRING="esc"
   export FILE="[unknown]"
 stderr: |
   > esc env get test --value=shell
+  > esc env get test --value=shell --show-secrets
diff --git a/cmd/esc/cli/testdata/env-get-all.yaml b/cmd/esc/cli/testdata/env-get-all.yaml
@@ -16,6 +16,9 @@ environments:
       object: {hello: world}
       open:
         fn::open::test: echo
+      secret:
+        fn::secret:
+          ciphertext: ZXNjeAAAAAHz5ePy5fTB4+Pl8/PL5fnJxPD7
 stdout: |+
   > esc env get test
   # Value
@@ -32,6 +35,7 @@ stdout: |+
       "hello": "world"
     },
     "open": "[unknown]",
+    "secret": "[secret]",
     "string": "esc"
   }
   ```
@@ -50,6 +54,9 @@ stdout: |+
     object: {hello: world}
     open:
       fn::open::test: echo
+    secret:
+      fn::secret:
+        ciphertext: ZXNjeAAAAAHz5ePy5fTB4+Pl8/PL5fnJxPD7
 
   ```