I create a team with `readonly` permissions on some stacks I

Question

I create a team with `readonly` permissions on some stacks I assumed running `pulumi preview` will work just fine It does but after showing a correct preview it if fails with ```error failed to encrypt secret value 404 Not Found Stack my stack not found``` When I give it `write` permissions on the stack it succeeds Why does it try to encrypt anything on `preview` seems like a bug

millions-train-91139 · Answer

Also the Pulumi SaaS thinks that the preview succeeded so it s just some finalizations in the CLI that cause this to fail I tracked it down to `deployment go` ```var ciphertext string if cachingCrypter ok = enc cachingCrypter ok ciphertext err = cachingCrypter encryptSecret prop SecretValue plaintext else ciphertext err = enc EncryptValue ctx plaintext if err = nil return nil fmt Errorf failed to encrypt secret value w err contract AssertNoErrorf err marshalling underlying secret value to JSON ``` I assume the following endpoint is not accessible to `readonly` permission to a stack ```addEndpoint POST api stacks orgName projectName stackName encrypt encryptValue ``` I think it should otherwise it is not possible to run `previews` in `readonly` when there is a secret in the stack I assume switch to a different secret provider gcpkms will also solve it since I will be able to give it encrypt permissions The other option is to change to pulumi to not encrypt what it tries to encrypt but that would be a deeper change

lemon-agent-27707 · Answer

That does sound surprising would you mind opening an issue so that we can follow up and investigate <https github com pulumi pulumi issues new choose>

millions-train-91139 · Answer

FYI when I moved to gcpkms as a secret provider this was solved

millions-train-91139 · Answer

Actually a different secret provider doesn t work which is wierd However this only happens when I used ` save plan` flag when I don t everything works great