No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

How can I tell pulumi to encrypt stack with an external KMS key? because it does not accept Key ARN and naively assumes the key lives in the same AWS account.

Is this a bug or a feature? … the scenario 1 works only thanks to the behaviour of KMS that it stores kms key ARN as part of cyphered text.

```Pulumi behaviour is bizarre!
KMS_KEY_A  with access from A,B
KMS_KEY_B with access from B

scenario 1

with A `pulumi stack init --secrets-provider  KMS_KEY_A` - works
with B `pulumi config --show-secrets` - works
with B `pulumi config set --secret test "asdf"` - uses key in A to en/decrypt stuff

scenario 2
with B - `pulumi stack init --secrets-provider KMS_KEY_B` - works
but with B - `pulumi stack init --secrets-provider KMS_KEY_A` - does not … because nothing can point to the account ID of KMS_KEY_A```
Okay, so after an hour banging my head why this doesn’t work … the problem is inconsistent documentation …

The command help doesn’t mention how to use ARN
<https://www.pulumi.com/docs/iac/cli/commands/pulumi_stack_change-secrets-provider/>

but this page does
<https://www.pulumi.com/docs/iac/concepts/secrets/#aws-key-management-service-kms>

<@U073B41BEHJ> might be something to improve in our docs.