https://pulumi.com logo
#getting-started
Title
# getting-started
n

narrow-river-17495

03/26/2024, 3:21 PM
In order to use a Stack Reference to obtain outputs from another stack, do you need to have permissions to access the other stack's encryption key? I'm running up against this, but it seems sort of odd since the outputs are clearly stored in plaintext in the Pulumi service.
l

little-cartoon-10569

03/26/2024, 8:28 PM
Afaik you can use StackReferences to access only stacks in the same backend. So implicitly, yes you need access to the encryption key. But effectlvely, no, since you already have access to the encryption key.
n

narrow-river-17495

03/26/2024, 9:29 PM
Got it, I should probably have clarified: both stacks are using Pulumi Cloud (in the same org, if it matters), but they're using AWS KMS as a secrets provider.
l

little-cartoon-10569

03/26/2024, 9:33 PM
Ah. I don't know about that; it's not frequently done, since one of the reasons to use the Pulumi service is to remove the overhead of KMS, which has a cost per secret. Is there a reason to not use the same key for all related projects?
n

narrow-river-17495

03/26/2024, 9:41 PM
To date we've actually done that; a given environment consists of multiple projects deployed to a single AWS account, and the stacks making up an environment all share the same KMS key. But now we're introducing a dependency between environments, which use different keys because different people should have access to the secrets in each environment, just wanted to access the non-secret outputs.
l

little-cartoon-10569

03/26/2024, 9:49 PM
So the problem is that accessing values that you don't need encrypted is failing, because the encryption keys of the source and destination are different? On the surface, that sounds like a bug. I'd consider raising an issue.
As a short-term workaround, Pulumi ESC is currently free and handles this situation natively. You could try adopting that?
n

narrow-river-17495

03/26/2024, 10:08 PM
thanks, I'll take a look, last time I looked I was a little unclear what exactly ESC did, but at a glance its making more sense now