https://pulumi.com logo
Title
g

gentle-knife-93855

09/05/2022, 4:05 PM
Hi, is it safe to commit the Pulumi.stack.yaml file to git even if it contains secrets?
c

clever-sunset-76585

09/05/2022, 4:33 PM
Yes it is safe, provided you set the secret with the
--secret
flag. It is a good idea to commit your stack config files.
g

gentle-knife-93855

09/05/2022, 4:35 PM
Even to public repositories? Will someone be able to access my secrets when they try to run the Pulumi program? I'm assuming the secret is encrypt with a key unique to my account
c

clever-sunset-76585

09/05/2022, 4:37 PM
That's right. The secret is encrypted using a key material that is specific to your stack. It's not portable to another stack. Even you cannot simply copy/paste your encrypted config value between your own stacks. You have to have the plaintext value in order to re-encrypt for another stack.
g

gentle-knife-93855

09/05/2022, 4:38 PM
Okay, thank you
c

clever-sunset-76585

09/05/2022, 4:40 PM
And yes, committing your stack config to public repos is fine. Again, remember to use
--secret
for secret configs. If you accidentally set your secret as a plain config value and commit it to your VCS you should rotate that secret value and discard the one you accidentally committed in plaintext to your VCS (regardless of the repo visibility.)
Also remember if you make your stack config public, even though secrets are encrypted, there may be other info in your stack config that may not be straight-up secrets but you may still want to protect them for any reason, so you should evaluate if that info can be out in the public domain.
g

gentle-knife-93855

09/05/2022, 4:52 PM
Got it, thanks