I create a team with `readonly` permissions on som...
# pulumi-cloud
I create a team with
permissions on some stacks. I assumed running
pulumi preview
will work just fine. It does, but after showing a correct preview it if fails with:
Copy code
error: failed to encrypt secret value: [404] Not Found: Stack 'my-stack' not found
When I give it
permissions on the stack, it succeeds. Why does it try to encrypt anything on
, seems like a bug
Also, the Pulumi SaaS thinks that the preview succeeded - so it’s just some finalizations in the CLI that cause this to fail. I tracked it down to:
Copy code
var ciphertext string
		if cachingCrypter, ok := enc.(*cachingCrypter); ok {
			ciphertext, err = cachingCrypter.encryptSecret(prop.SecretValue(), plaintext)
		} else {
			ciphertext, err = enc.EncryptValue(ctx, plaintext)
		if err != nil {
			return nil, fmt.Errorf("failed to encrypt secret value: %w", err)
		contract.AssertNoErrorf(err, "marshalling underlying secret value to JSON")
I assume the following endpoint is not accessible to
permission to a stack.
Copy code
addEndpoint("POST", "/api/stacks/{orgName}/{projectName}/{stackName}/encrypt", "encryptValue")
I think it should, otherwise it is not possible to run
when there is a secret in the stack. --- I assume switch to a different secret provider (gcpkms) will also solve it, since I will be able to give it encrypt permissions? --- The other option is to change to pulumi to not encrypt what it tries to encrypt - but that would be a deeper change.
That does sound surprising, would you mind opening an issue so that we can follow up and investigate? https://github.com/pulumi/pulumi/issues/new/choose
FYI, when I moved to gcpkms as a secret provider, this was solved.
Actually a different secret provider doesn’t work, which is wierd. However this only happens when I used
flag, when I don’t, everything works great.