This message was deleted.

The app is available for use as a secret provider, so long as you set the PULUMI_ACCESS_TOKEN, I think? If you want to change to use a different secret provider, you can do that. See this page: https://www.pulumi.com/docs/concepts/state/ There's a section that says:

Note:: After migration, your stack’s state will be managed by the Pulumi Cloud backend, but the stack will continue using the same secrets provider. You can separately change the secrets provider for your stack if needed.

And that tells you what you need to do, see this bit: https://www.pulumi.com/docs/concepts/secrets/#changing-the-secrets-provider-for-a-stack

Thanks, in my case, I want to use KMS as a secret provider after I import the stack to the s3 backend but due to the error I posted I had to switch secret provider before exporting the stack. I will try with with pulumi token environment var set to see if that helps.

Have you actually changed the secret provider to be

<awskms://yourKMSdetails>

? You should see that set up in your Pulumi.yaml. I don't know why there isn't an example snippet on that page: there's loads of examples of the CLI doing it, but normally I just edit the file by hand (which is all the CLI does).

yes, in the stack's pulumi yaml I see

secretsprovider

field with KMS