This message was deleted.

Also, the Pulumi SaaS thinks that the preview succeeded - so it’s just some finalizations in the CLI that cause this to fail. I tracked it down to:

deployment.go

var ciphertext string
		if cachingCrypter, ok := enc.(*cachingCrypter); ok {
			ciphertext, err = cachingCrypter.encryptSecret(prop.SecretValue(), plaintext)
		} else {
			ciphertext, err = enc.EncryptValue(ctx, plaintext)
		}
		if err != nil {
			return nil, fmt.Errorf("failed to encrypt secret value: %w", err)
		}
		contract.AssertNoErrorf(err, "marshalling underlying secret value to JSON")

I assume the following endpoint is not accessible to

readonly

permission to a stack.

addEndpoint("POST", "/api/stacks/{orgName}/{projectName}/{stackName}/encrypt", "encryptValue")

I think it should, otherwise it is not possible to run

previews

in

readonly

when there is a secret in the stack. --- I assume switch to a different secret provider (gcpkms) will also solve it, since I will be able to give it encrypt permissions? --- The other option is to change to pulumi to not encrypt what it tries to encrypt - but that would be a deeper change.

That does sound surprising, would you mind opening an issue so that we can follow up and investigate? https://github.com/pulumi/pulumi/issues/new/choose

FYI, when I moved to gcpkms as a secret provider, this was solved.