In order to use a Stack Reference to obtain outputs from another stack, do you need to have permissions to access the other stack's encryption key? I'm running up against this, but it seems sort of odd since the outputs are clearly stored in plaintext in the Pulumi service.

Afaik you can use StackReferences to access only stacks in the same backend. So implicitly, yes you need access to the encryption key. But effectlvely, no, since you already have access to the encryption key.

Got it, I should probably have clarified: both stacks are using Pulumi Cloud (in the same org, if it matters), but they're using AWS KMS as a secrets provider.

Ah. I don't know about that; it's not frequently done, since one of the reasons to use the Pulumi service is to remove the overhead of KMS, which has a cost per secret. Is there a reason to not use the same key for all related projects?

To date we've actually done that; a given environment consists of multiple projects deployed to a single AWS account, and the stacks making up an environment all share the same KMS key. But now we're introducing a dependency between environments, which use different keys because different people should have access to the secrets in each environment, just wanted to access the non-secret outputs.

So the problem is that accessing values that you don't need encrypted is failing, because the encryption keys of the source and destination are different? On the surface, that sounds like a bug. I'd consider raising an issue.

thanks, I'll take a look, last time I looked I was a little unclear what exactly ESC did, but at a glance its making more sense now