https://pulumi.com logo
#getting-started
Title
# getting-started
b

busy-toothbrush-90194

10/11/2023, 5:27 PM
Hi folks, I am trying to move a stack from pulumi cloud backend to AWS S3, after exporting the stack when I try to import it I get this error
Copy code
error: could not deserialize deployment: constructing secrets manager of type "service": could not find access token for <https://api.pulumi.com>, have you logged in?
If I understood correctly then this is due to the secret provider being the pulumi service on the exported stack which is not available with the s3 backend. What is the workaround for this? Do I need to change the secret provider for the stack before exporting it and then use the same provider while importing it or there is any other way where I don't need to change the secret provider in the stack before exporting.
l

little-cartoon-10569

10/11/2023, 10:07 PM
The app is available for use as a secret provider, so long as you set the PULUMI_ACCESS_TOKEN, I think? If you want to change to use a different secret provider, you can do that. See this page: https://www.pulumi.com/docs/concepts/state/ There's a section that says:
Note:: After migration, your stack’s state will be managed by the Pulumi Cloud backend, but the stack will continue using the same secrets provider. You can separately change the secrets provider for your stack if needed.
And that tells you what you need to do, see this bit: https://www.pulumi.com/docs/concepts/secrets/#changing-the-secrets-provider-for-a-stack
b

busy-toothbrush-90194

10/12/2023, 1:55 PM
Thanks, in my case, I want to use KMS as a secret provider after I import the stack to the s3 backend but due to the error I posted I had to switch secret provider before exporting the stack. I will try with with pulumi token environment var set to see if that helps.
l

little-cartoon-10569

10/12/2023, 7:04 PM
Have you actually changed the secret provider to be
<awskms://yourKMSdetails>
? You should see that set up in your Pulumi.yaml. I don't know why there isn't an example snippet on that page: there's loads of examples of the CLI doing it, but normally I just edit the file by hand (which is all the CLI does).
b

busy-toothbrush-90194

10/13/2023, 12:33 PM
yes, in the stack's pulumi yaml I see
secretsprovider
field with KMS
After changing the secret provider I exported the stack again and the kms secret provider was there in the stack json as well.