Hi everyone, I’ve set up secrets management with Google KMS, but it looks like everyone in our team have to have both Encryptor/Decrypter roles because the implementation creates an additional symmetric encryption key which has to be decrypted by KMS in order to work with the secrets. (I followed https://www.pulumi.com/blog/peace-of-mind-with-cloud-secret-providers/.) What I actually want is segregation of permissions so that the developers could only encrypt new secrets, but not decrypt them. I want to do that for production; staging can be more permissive. Is there an out-of-box solution?

that isn’t possible. You need to be able to be able to decrypt the values to be able to run pulumi

No, I’m talking about segregation of roles. We don’t want to permit everyone to run pulumi on production, but we do want to allow developers to encrypt new secrets.

ah, so no developer should be able to execute Pulumi locally?

No, we want to have only few devs being able to deploy production. But we don’t want them to be interrupted with queries like ‘Please, add this token to the prod secrets,’ we’d rather allow them to do themselves with a PR.

I mean, it’s possible, but you’d need to craft the permissions on the key so those people can write and not read. It’s certainly well out of the scope of community support

We gave them permission to decrypt without encryption permissions. The thing is the Pulumi’s implementation creates an extra key which has to be decrypted by KMS, and they are not allowed to do that.

contact sales@pulumi.com