This message was deleted.
# esc
s
This message was deleted.
g
actually to revise my question - 1. I see that when you use fn::secret it gets converted to ciphertext. does that conversion happen on the client or on the BE, like when you use
pulumi config set --secret
from my understanding the plaintext secrets never hit the server, is that the same here? 2. is it possible to use a different encryption key provider than pulumi, similar to config (and if not is this a FR y’all would consider? happy to file an ticket if yes)
e
This happens in the backend, so it is not E2E. We have discussed E2E scenarios for future prioritization; please file a ticket (thank you in advance). There are some more basic scenarios we want to make sure are covered first, but this is certainly something we want to address.
g
roger that, thanks cleve
@enough-architect-32336 quick follow up - if we use a secrets provider (e.g gcp-secrets), do the secret values pass through pulumi’s backend, or does the backend just hand the client a short-lived GCP token and the client calls gcp-secrets itself
e
They are resolved in the backend so it is a pass through. They are never persisted. If you would like us to revisit that would appreciate another ticket.