No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

You wouldn't be able to set that as an encrypted value in `Pulumi.&lt;stack&gt;.yaml` because that is what is used to encrypt other secret values that you store in your stack config when using the passphrase as your secrets provider.

Your only option is to set that env var for each stack when you are using passphrase secrets provider. Obviously, the way around that is to use the same password but it's a bad idea to use the same password for encrypting secrets used in each stack if this anything more than a personal project that you are playing with.

One other alternative is that I created a <https://deskypus.github.io|desktop app> that supports environments like Postman does for situations like this. The idea is that you can switch environments on the fly and thus activating the relevant env vars from the system tray icon.

I see your point for PULUMI_CONFIG_PASSPHRASE. However, I don't see why I can't have gitignored files `<http://passphrase.dev|passphrase.dev>` and `passphrase.prod` and reference them in my `Pulumi.dev.yaml` or `Pulumi.prod.yaml` configs.

What makes this issue even worse is that I can't even use tools like direnv for that because the PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE vars do not differentiate between stacks

&gt; However, I don't see why I can't have gitignored files `<http://passphrase.dev|passphrase.dev>` and `passphrase.prod` and reference them in my `Pulumi.dev.yaml` or `Pulumi.prod.yaml` configs.
You should consider opening a suggestion in `pulumi/pulumi` . Your suggestion sounds reasonable to me.

&gt; What makes this issue even worse is that I can't even use tools like direnv for that because the PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE vars do not differentiate between stacks
Yep. I hear you. I've run into the same experience. The desktop app I am building lets you switch stacks using the system tray icon too. but of course, anytime env vars are changed, you have to either source them in your current session or open a new session.