Hello! I have a nested Pulumi config and one of the key has colon in its name. I want to add secrets under that key, but as far as

--path

option has format

<namespace>:<name>

Pulumi whether doesn't allow to set it, if I specify whole path with namespace, or does it in a wrong way, if I omit the namespace. For example: - With explicitly specified namespace:

pulumi config set --secret --path 'namespace:sites["<https://example.com>"].password' password

leads to error:

error: invalid configuration key: could not parse namespace:sites["<https://example.com>"].password as a configuration key (configuration keys should be of the form `<namespace>:<name>`)

- When namespace is omitted

pulumi config set --secret --path 'sites["<https://example.com>"].password' password

, there's no error, but config contains:

config:
  sites["<https://example>:
    com"]:
      password:
        secure: <secret>

Is there any way to workaround that? Pulumi

v3.116.1

.

Unrelated, but: prefer not to use config to store things whose existence should be auditable. While Pulumi secrets are properly encrypted, they're also kept in source control and on every machine that can deploy. Which makes their existence hard to audit. That is, it can be hard to say "yes Mr. CISO, I have deleted every copy of the compromised password". Instead, those sorts of secrets should be stored in a central location like a managed vault or password manager. All major clouds provide several suitable solutions.

Hi @little-cartoon-10569, you're completely right. In my case there's sort of egg and chicken problem: I exactly want to automate delivery to central secret storage and usually this config file will never leave gitlab runner, but sometimes, for debug purposes, I want to be able to download config file as an artifact. In any case, thanks for advice.