No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I’ve got an encrypted value in one of my envs which is then pulled into the environmentVariables section, when I run `esc open <env>` it shows up properly (the unencrypted value is visible). but when I run `esc env run — env` the environment variable is set to literally “[secret]“. Am I doing something dumb or this a bug

the correct value is also visible when I run `esc open &lt;env&gt; --format=shell`

filed an issue <https://github.com/pulumi/esc/issues/288>

Responded in the issue, but responding here for folks following along:

ESC run purposefully elides these secrets to help prevent leaking inadvertently in logs or other output. If you pass the `-i` flag, it will bypass this.
&gt; -i, --interactive true to treat the command as interactive and disable output filters

thanks cleve - `-i` is a little unintuitive to me (not sure why interactivity is the thing that lets secrets be visible?)

read through the docs again, for future readers: `esc run` will still pass the un-masked secret as an env var, despite what the `env` command shows. `esc run` just filters the stdout of any secret values, but the secret is actually there.