No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

You can. <http://api.pulumi.com/api/{org}/{project}/{stack}/decrypt|api.pulumi.com/api/{org}/{project}/{stack}/decrypt> , POST to that endpoint with a JSON object with one field "ciphertext" which has the base64 ciphertext to decrypt.

I'm hoping to get an openapi spec written up for the whole service to make things like this more discoverable

and that would make by wrapper/api stuff obsolete (which would be GREAT).

so I know - is this documented somewhere?

no it's not documented anywhere right now (unless you count code as docs, in which case <https://github.com/pulumi/pulumi/blob/master/pkg/backend/httpstate/client/client.go#L405-L413>)

<@U02J3T6A8LB> VERY good link - that helped me find my bug!  The url is <http://api.pulumi.com/api/stacks/{org}/{project}/{stack}/decrypt|api.pulumi.com/api/stacks/{org}/{project}/{stack}/decrypt> - thanks a bunch for the info - I'd not have found that on my own :slightly_smiling_face:

ah yes sorry, forgot about the /stacks part

will all be much easier with an openapi spec :slightly_smiling_face:

I'm trying that with a stack that has it's own encryption provider (key vault in this case); is it expected that the REST call will work in this case as well?

Nope, the SASS only deals with service encryption/decryption. If you want stack config decrypted from another secrets provider you'll need to query that provider (or just use `pulumi config get)`