No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

that isn’t possible. You need to be able to be able to decrypt the values to be able to run pulumi

No, I’m talking about segregation of roles. We don’t want to permit everyone to run pulumi on production, but we do want to allow developers to encrypt new secrets.

ah, so no developer should be able to execute Pulumi locally?

No, we want to have only few devs being able to deploy production. But we don’t want them to be interrupted with queries like ‘Please, add this token to the prod secrets,’ we’d rather allow them to do themselves with a PR.

I mean, it’s possible, but you’d need to craft the permissions on the key so those people can write and not read. It’s certainly well out of the scope of community support

if the users can successfully do `pulumi config set` then it’ll work

We gave them permission to decrypt without encryption permissions.
The thing is the Pulumi’s implementation creates an extra key which has to be decrypted by KMS, and they are not allowed to do that.

image.png

&gt; It’s certainly well out of the scope of community support
Is there a paid customer support btw? I couldn’t find it anywhere.

contact <mailto:sales@pulumi.com|sales@pulumi.com>