Hi is it safe to commit the Pulumi stack yaml file to git ev Pulumi Community #getting-started

Join Slack

Hi, is it safe to commit the Pulumi.stack.yaml fil...

# getting-started

gentle-knife-93855

09/05/2022, 4:05 PM

Hi, is it safe to commit the Pulumi.stack.yaml file to git even if it contains secrets?

clever-sunset-76585

09/05/2022, 4:33 PM

Yes it is safe, provided you set the secret with the

--secret

flag. It is a good idea to commit your stack config files.

gentle-knife-93855

09/05/2022, 4:35 PM

Even to public repositories? Will someone be able to access my secrets when they try to run the Pulumi program? I'm assuming the secret is encrypt with a key unique to my account

clever-sunset-76585

09/05/2022, 4:37 PM

That's right. The secret is encrypted using a key material that is specific to your stack. It's not portable to another stack. Even you cannot simply copy/paste your encrypted config value between your own stacks. You have to have the plaintext value in order to re-encrypt for another stack.

gentle-knife-93855

09/05/2022, 4:38 PM

Okay, thank you

clever-sunset-76585

09/05/2022, 4:40 PM

And yes, committing your stack config to public repos is fine. Again, remember to use

--secret

for secret configs. If you accidentally set your secret as a plain config value and commit it to your VCS you should rotate that secret value and discard the one you accidentally committed in plaintext to your VCS (regardless of the repo visibility.)

clever-sunset-76585

09/05/2022, 4:43 PM

Also remember if you make your stack config public, even though secrets are encrypted, there may be other info in your stack config that may not be straight-up secrets but you may still want to protect them for any reason, so you should evaluate if that info can be out in the public domain.

gentle-knife-93855

09/05/2022, 4:52 PM

Got it, thanks

6 Views

Open in Slack

Previous Next