Hi Pulumiers... just in case I'm missing something here - is it possible to decrypt a config value using the Pulumi Service REST API? I can get the stack, and the last update/state for the stack - and my goal (for some tests I'm writing) is to be able to use the service to decrypt a config value. Context helps: this is a unit test, and I want to validate that something has been done in the underlying service, the PAT for that service is encrypted in the config.

You can. api.pulumi.com/api/{org}/{project}/{stack}/decrypt , POST to that endpoint with a JSON object with one field "ciphertext" which has the base64 ciphertext to decrypt.

and that would make by wrapper/api stuff obsolete (which would be GREAT).

no it's not documented anywhere right now (unless you count code as docs, in which case https://github.com/pulumi/pulumi/blob/master/pkg/backend/httpstate/client/client.go#L405-L413)

@echoing-dinner-19531 VERY good link - that helped me find my bug! The url is api.pulumi.com/api/stacks/{org}/{project}/{stack}/decrypt - thanks a bunch for the info - I'd not have found that on my own 🙂

ah yes sorry, forgot about the /stacks part

I'm trying that with a stack that has it's own encryption provider (key vault in this case); is it expected that the REST call will work in this case as well?

Nope, the SASS only deals with service encryption/decryption. If you want stack config decrypted from another secrets provider you'll need to query that provider (or just use

pulumi config get)