https://pulumi.com logo
#general
Title
# general
b

bland-dog-47600

12/07/2023, 4:54 PM
Hi everyone, I’ve set up secrets management with Google KMS, but it looks like everyone in our team have to have both Encryptor/Decrypter roles because the implementation creates an additional symmetric encryption key which has to be decrypted by KMS in order to work with the secrets. (I followed https://www.pulumi.com/blog/peace-of-mind-with-cloud-secret-providers/.) What I actually want is segregation of permissions so that the developers could only encrypt new secrets, but not decrypt them. I want to do that for production; staging can be more permissive. Is there an out-of-box solution?
b

billowy-army-68599

12/07/2023, 4:55 PM
that isn’t possible. You need to be able to be able to decrypt the values to be able to run pulumi
b

bland-dog-47600

12/07/2023, 4:56 PM
No, I’m talking about segregation of roles. We don’t want to permit everyone to run pulumi on production, but we do want to allow developers to encrypt new secrets.
b

billowy-army-68599

12/07/2023, 5:00 PM
ah, so no developer should be able to execute Pulumi locally?
b

bland-dog-47600

12/07/2023, 5:02 PM
No, we want to have only few devs being able to deploy production. But we don’t want them to be interrupted with queries like ‘Please, add this token to the prod secrets,’ we’d rather allow them to do themselves with a PR.
b

billowy-army-68599

12/07/2023, 5:03 PM
I mean, it’s possible, but you’d need to craft the permissions on the key so those people can write and not read. It’s certainly well out of the scope of community support
if the users can successfully do
pulumi config set
then it’ll work
b

bland-dog-47600

12/07/2023, 5:04 PM
We gave them permission to decrypt without encryption permissions. The thing is the Pulumi’s implementation creates an extra key which has to be decrypted by KMS, and they are not allowed to do that.
This key
It’s certainly well out of the scope of community support
Is there a paid customer support btw? I couldn’t find it anywhere.
b

billowy-army-68599

12/07/2023, 5:08 PM
I can have someone reach out