05/15/2023, 2:05 PM
Hi, what is the proper way of handling credential configuration in dynamic providers? I tried accessing
inside a dynamic provider class, but kept getting errors that the configuration is not defined (even though it is). Turns out this is a known issue (Slack thread here, GH issue here). However, a Pulumi blog post says this should be possible:
Provider Credentials
If you need to use the credentials used by the rest of your Pulumi app, also known as the ambient provider credentials, you can access the relevant credentials (and other configuration) through the
is the imported provider module.
The code that is not working for me is:
class AlertRuleProvider(ResourceProvider):
    def create(self, props):
        _es_username = Config('foobar').require('password')
when run:
error: Exception calling application: Missing required configuration variable 'foobar:password'
        please set a value using the command `pulumi config set foobar:password <value>`
--- I don’t want to pass the credentials as a prop to the provider, because then it gets stored in the state file. On top of the security concerns, I expect there will be problems with this when the credentials expire and new ones need to be used. So what is the correct approach to interface with 3rdparty APIs from dynamic providers? Thank you


05/15/2023, 4:02 PM
I read your other thread and it looks like there's an outstanding issue accessing stack config values in a Dynamic Provider. You could use env vars instead. It's not ideal but should work. You could also try adding the secret to stack config still but maybe you could read the config values outside the dynamic provider code and add them to
yourself? I don't know if that would work though but worth a shot.


05/16/2023, 12:32 PM
Thanks! Providing the values through the environment sounds interesting. The env vars can be consumed with
when they are defined at the bash level (e.g.
FOO=bar pulumi up
). It’s a little annoying because this way we have to ensure those are available in the environment of whoever is running the pulumi command. The second suggestion, with consuming these from the stack config and then setting them as environment variables, does not work, sadly. I suspect this is due to the actual
code running in a different process than the rest of the program? Whatever the cause, the provider can only see the environment variables it has set up itself.