Hi folks, I am trying to move a stack from pulumi cloud backend to AWS S3, after exporting the stack when I try to import it I get this error

error: could not deserialize deployment: constructing secrets manager of type "service": could not find access token for <https://api.pulumi.com>, have you logged in?

If I understood correctly then this is due to the secret provider being the pulumi service on the exported stack which is not available with the s3 backend. What is the workaround for this? Do I need to change the secret provider for the stack before exporting it and then use the same provider while importing it or there is any other way where I don't need to change the secret provider in the stack before exporting.

The app is available for use as a secret provider, so long as you set the PULUMI_ACCESS_TOKEN, I think? If you want to change to use a different secret provider, you can do that. See this page: https://www.pulumi.com/docs/concepts/state/ There's a section that says:

Note:: After migration, your stack’s state will be managed by the Pulumi Cloud backend, but the stack will continue using the same secrets provider. You can separately change the secrets provider for your stack if needed.

And that tells you what you need to do, see this bit: https://www.pulumi.com/docs/concepts/secrets/#changing-the-secrets-provider-for-a-stack

Thanks, in my case, I want to use KMS as a secret provider after I import the stack to the s3 backend but due to the error I posted I had to switch secret provider before exporting the stack. I will try with with pulumi token environment var set to see if that helps.

Have you actually changed the secret provider to be

<awskms://yourKMSdetails>

? You should see that set up in your Pulumi.yaml. I don't know why there isn't an example snippet on that page: there's loads of examples of the CLI doing it, but normally I just edit the file by hand (which is all the CLI does).

yes, in the stack's pulumi yaml I see

secretsprovider

field with KMS