Good morning (or evening) everybody! ❤️ It's been days that's i've been really stuck on an issue on secrets and pulumi yaml. i can't prevent secrets not to be exposed plaintext on resource properties. is there a way to do that?

sshCommands:
    type: command:remote:Command
    properties:
      connection:
        host: ${debianserver.ipv4Address}
        user: user
        privateKey: ${AUTHORIZED_PRIVATE_KEY}
        port: 22
      create: echo ''
    options:
      additionalSecretOutputs:
        - create
        - connection

where "AUTHORIZED_PRIVATE_KEY" is a secret declared in the config-map of my github-ci pipeline (marked "secret": true) but then the input (whereas the output is ok) is exposed to the state in plaintext

"inputs": {
                    "connection": {
                        "host": "1.1.1.1",
                        "port": 22,
                        "privateKey": "-----BEGIN OPENSSH PRIVATE KEY----- ...",
                        "user": "user"
                    },
                    "create": "echo ''"
                },

Have you set it as a secret in your Pulumi config?

yes, i've set "secret": true in the config.map property of the github pipeline

Pulumi doesn’t have any information about that. You need to set it as a secret in Pulumi

but i see from the pulumi web interface that it correctly identifies the variable as a secret, marking it as "encrypted" on the configuration tab

If that’s the case, it’s a bug, and would be good to open an issue

mmh that's right

Okay that’s a bug, please file an issue

ok, i will do it, thanks