No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hello everyone, I have a question about how Pulumi uses secrets providers. I've configured a stack to use a kms key for encrypting secrets and it seems to be working as all existing secrets were re-encrypted, however, in CloudTrail I get Decrypt events almost exclusively. When adding a new secret to config, only Decrypt events are registered in CloudTrail. Does this mean Pulumi decrypts the `encryptedkey` property from the yaml file and uses that to encrypt the config values? Apologies if it's described somewhere, couldn't find this in the documentation :slightly_smiling_face: