https://pulumi.com logo
#general
Title
# general
b

big-potato-91793

07/05/2023, 1:44 PM
Quick question about secret, we are using the s3 stack for now. We need often to add secret for our stacks. The only concerns is that this required someone to run the
pulumi config set --secret
. Often we cannot do that because most of our users doesn’t have access in rw of the s3 bucket. we are using the kms secret provider. We were maybe looking into vault. Any ideas?
e

echoing-dinner-19531

07/05/2023, 3:21 PM
config doesn't get committed to the s3 bucket, it's part of the Pulumi.<stack>.yaml files so you just need secrets access not state access.
b

big-potato-91793

07/10/2023, 7:40 PM
Weird. Every time, we are trying to add a secret we need to make sure that we are able to connect to the s3 bucket.
e

echoing-dinner-19531

07/10/2023, 9:12 PM
I think the program flow always tries to get the stack data but its just to confirm the stack name is valid. You could trick it by just logging into --local creating a stack of the same name, running "config set" and then switching back to the real backend. If you want to raise an issue to discuss this we could see about maybe having a sort of "-no-validate-stack-name" mode or something?
b

big-potato-91793

07/10/2023, 9:13 PM
awesome! I will try to open something tomorrow
@echoing-dinner-19531 we are using awskms as the secret provider so that would explain why