I am stumped on this issue. Is it possible to take a value from the config file that is stored as a secret and then later turn the secret into a string so that it can be used inside of a string. In this case, as part of an API endpoint URL? Given what I have read so far, I don't know if Pulumi will allow a secret value to live "in the clear". Examples I can use these two options to successfully convert a non-secret to a string, but they do not work with a secret:

const nonSecret = config.require("non-secret")
const nonSecretString = nonSecret.apply(v => `${v}`);
// or 
const nonSecretString = pulumi.interpolate`${nonSecret}`;

These do not work because apiKey is an Output<T> and errors out when converting to a string:

const apiKey = config.requireSecret("myApiKey")
const apiKeyString = apiKey.apply(v => `${v}`);
// or 
const apiKeyString = pulumi.interpolate`${apiKey}`;

Example of how I need to put the secret into a string:

const newObject = new gcp.pubsub.Subscription("new-sub", {
    topic: existingPubSubTopic.name,
    pushConfig: {
        pushEndpoint: `<https://example.com/api/v2/logs?api-key=${apiKey}&protocol=gcp>`
    },
    project: config.require("gcp-project-id")
});

You can use

pulumi.interpolate

for this use case. https://www.pulumi.com/docs/intro/concepts/inputs-outputs/#outputs-and-strings

@green-stone-37839 Thanks! That worked. I have been trying this for a couple of hours and I could have sworn that I tried this method. Does this work because the secret is decrypted only one when the method is called versus being placed into a new string and then used later?

This works because the

pushEndpoint

property itself accepts outputs. An output can never be a plain value (string, bool, etc) but using apply (or interpolate in this case) you can construct a new output that fits your purpose.