Also, the Pulumi SaaS thinks that the preview succeeded - so it’s just some finalizations in the CLI that cause this to fail. I tracked it down to:

deployment.go

var ciphertext string
		if cachingCrypter, ok := enc.(*cachingCrypter); ok {
			ciphertext, err = cachingCrypter.encryptSecret(prop.SecretValue(), plaintext)
		} else {
			ciphertext, err = enc.EncryptValue(ctx, plaintext)
		}
		if err != nil {
			return nil, fmt.Errorf("failed to encrypt secret value: %w", err)
		}
		contract.AssertNoErrorf(err, "marshalling underlying secret value to JSON")

I assume the following endpoint is not accessible to

readonly

permission to a stack.

addEndpoint("POST", "/api/stacks/{orgName}/{projectName}/{stackName}/encrypt", "encryptValue")

I think it should, otherwise it is not possible to run

previews

in

readonly

when there is a secret in the stack. --- I assume switch to a different secret provider (gcpkms) will also solve it, since I will be able to give it encrypt permissions? --- The other option is to change to pulumi to not encrypt what it tries to encrypt - but that would be a deeper change.

Actually a different secret provider doesn’t work, which is wierd. However this only happens when I used

--save-plan

flag, when I don’t, everything works great.