Hi is it safe to commit the Pulumi stack yaml file to git ev

Question

Hi is it safe to commit the Pulumi stack yaml file to git even if it contains secrets

clever-sunset-76585 · Answer

Yes it is safe provided you set the secret with the ` secret` flag It is a good idea to commit your stack config files

gentle-knife-93855 · Answer

Even to public repositories Will someone be able to access my secrets when they try to run the Pulumi program I m assuming the secret is encrypt with a key unique to my account

clever-sunset-76585 · Answer

That s right The secret is encrypted using a key material that is specific to your stack It s not portable to another stack Even you cannot simply copy paste your encrypted config value between your own stacks You have to have the plaintext value in order to re encrypt for another stack

gentle-knife-93855 · Answer

Okay thank you

clever-sunset-76585 · Answer

And yes committing your stack config to public repos is fine Again remember to use ` secret` for secret configs If you accidentally set your secret as a plain config value and commit it to your VCS you should rotate that secret value and discard the one you accidentally committed in plaintext to your VCS regardless of the repo visibility

clever-sunset-76585 · Answer

Also remember if you make your stack config public even though secrets are encrypted there may be other info in your stack config that may not be straight up secrets but you may still want to protect them for any reason so you should evaluate if that info can be out in the public domain

gentle-knife-93855 · Answer

Got it thanks