No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

General question about Provider resources.

I see that it is a common choice, both in Pulumi and Terraform to save provider credentials (API keys) as provider inputs.
I wonder why that is.
First, it requires saving more secrets in state files - which could have not been saved there in the first place.
Second, I think that different principals with same permissions should be able to run `pulumi` without worrying about state changes in providers.

IMO authn/authz should not be save in IaC state.

Some providers allow this (GCP, Kubernetes with GKE auth helper) but a lot do not (Datadog, LaunchDarkly, etc)

What can I do about providers that save API keys in there state?

Will ignoreChanges work?

you can also use the credentials from the env vars.
yes, this may result in having a file that you `source` to make use of it, but it doesn’t belong to the provider state I think

Yes, I now see that the env var is being resolved from inside the provider and not resolved within the client and sent as an input, so shouldn’t be captured as input, thanks!