https://pulumi.com logo
#esc
Title
# esc
g

gifted-balloon-26385

12/05/2023, 5:40 AM
we have custom config and secrets we need to manage per customer and we’re thinking of moving to ESC for this (currently all sits in stack config). however, we’d ideally manage everything in one place rather than having to put them in a dedicated secrets manager and then import them to ESC. I see in the docs there’s a
fn::secret
function. do these work similarly to stack secrets, ie they’re ETE encrypted, or is the plaintext stored in Pulumi’s backend?
actually to revise my question - 1. I see that when you use fn::secret it gets converted to ciphertext. does that conversion happen on the client or on the BE, like when you use
pulumi config set --secret
from my understanding the plaintext secrets never hit the server, is that the same here? 2. is it possible to use a different encryption key provider than pulumi, similar to config (and if not is this a FR y’all would consider? happy to file an ticket if yes)
e

enough-architect-32336

12/05/2023, 8:55 PM
This happens in the backend, so it is not E2E. We have discussed E2E scenarios for future prioritization; please file a ticket (thank you in advance). There are some more basic scenarios we want to make sure are covered first, but this is certainly something we want to address.
g

gifted-balloon-26385

12/05/2023, 8:58 PM
roger that, thanks cleve
@enough-architect-32336 quick follow up - if we use a secrets provider (e.g gcp-secrets), do the secret values pass through pulumi’s backend, or does the backend just hand the client a short-lived GCP token and the client calls gcp-secrets itself
e

enough-architect-32336

12/05/2023, 11:57 PM
They are resolved in the backend so it is a pass through. They are never persisted. If you would like us to revisit that would appreciate another ticket.