No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

The password is encrypted in my state.
How are you passing it in?

Input field is encrypted ?
I tried many ways:
1. Create password in code using Pulumi.Random.RandomPasssword (I use this approach with RDS)
2. Create config secret value and pass it as config.RequireSecret("db_password")
In both variants Input field is plaintext while Output is encrypted

We're using `config.requireSecret` here.

Do you have a secrets provider setup to provide the encryption?

Of course, I use AWS S3 bucket with KMS key encryption as backend

if you export a value marked as secret, is that stored in plaintext or encrypted?

something like `export foo = pulumi.secret("bar")` should do if using typescript

image.png

yes, it is stored encrypted

```TestSecure = Output.CreateSecret("test_secret_value");

}
[Output] public Output&lt;string&gt; TestSecure { get; set; }```


The problem is not in encryption Output but in encryption of Input

If you export your state and check Input password value is it encrypted or not ?

yes, it's encrypted in mine. Though I'm using gcp classic for the database

Thanks, I always try to use aws native or google native where it is possible )

Looks like it is bug in google-native provider as SQL User password Input field also not encrypted

It's fine to use both at the same time, so could setup the database with Classic, then have the rest with native

But they cover Cloud SQL with google-native that's why I used it

The APIs are very similar, so should all make sense to you.

In the mean time, an issue should be raised about inputs not being encrypted: <https://github.com/pulumi/pulumi-google-native/issues>