This message was deleted Pulumi Community #esc

Join Slack

This message was deleted.

# esc

sparse-intern-71089

12/05/2023, 5:40 AM

This message was deleted.

gifted-balloon-26385

12/05/2023, 3:20 PM

actually to revise my question - 1. I see that when you use fn::secret it gets converted to ciphertext. does that conversion happen on the client or on the BE, like when you use

pulumi config set --secret

from my understanding the plaintext secrets never hit the server, is that the same here? 2. is it possible to use a different encryption key provider than pulumi, similar to config (and if not is this a FR y’all would consider? happy to file an ticket if yes)

enough-architect-32336

12/05/2023, 8:55 PM

This happens in the backend, so it is not E2E. We have discussed E2E scenarios for future prioritization; please file a ticket (thank you in advance). There are some more basic scenarios we want to make sure are covered first, but this is certainly something we want to address.

gifted-balloon-26385

12/05/2023, 8:58 PM

roger that, thanks cleve

gifted-balloon-26385

12/05/2023, 10:57 PM

@enough-architect-32336 quick follow up - if we use a secrets provider (e.g gcp-secrets), do the secret values pass through pulumi’s backend, or does the backend just hand the client a short-lived GCP token and the client calls gcp-secrets itself

enough-architect-32336

12/05/2023, 11:57 PM

They are resolved in the backend so it is a pass through. They are never persisted. If you would like us to revisit that would appreciate another ticket.

Open in Slack

Previous Next