No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

When using a KMS key as a stack secret provider for pulumi, what's the minimum IAM action permission required? I currently have `kms:*` but would like to narrow it down.

I don't know off-hand, but the best way to figure this out is to us IAM's Access Advisor.
This works only via a role, so you need to use an assumed role for your backend's credentials. If you're not already doing this (e.g. you're using access key id and secret ley), then you can do this by using an AWS profile with the role_arn and source_profile properties. Use this as your default profile, since that's what Pulumi uses for your backend.
Once you've got this set up, you can perform all your normal operations a few times, then view your role's access advisor in the IAM console. Remove everything that isn't listed there.