Hi, I've been experimenting with different approaches for secrets providers. Obviously, it is seamless with a Pulumi as state backend, for other backends it works seamlessly, when using a vault, like KMS for AWS, since there is built-in support for that in

pulumi login

. My curiosity started, because I saw that SST uses SSM Parameter Store instead of KMS, and therefore uses the secrets provider

passphrase

. The biggest advantage being for hobbyists, who wants to save a dollar on a KMS key. I do find the

passphrase

secrets provider lacking, it would be nice if it supported .env-files or something, to read the passphrase from, instead of only having the option of passing it via environment variables. Ideally, I'd like a solution, where the relative workspace can provide the passphrase automatically, I realize it is potentially encouraging worse security practices, but it isn't like you can't add a script file with the passphrase hardcoded. Currently I'm doing things such as:

PULUMI_CONFIG_PASSPHRASE="$(op read '<op://my-secret-reference/password>')" pulumi up

, since I have my passphrase in 1Pasword. I also did a test with SSM such as:

PULUMI_CONFIG_PASSPHRASE="$(aws ssm get-parameter --name my-secret-passphrase --with-decryption --query Parameter.Value --output text)" pulumi up

It would be nice if Pulumi had some built-in logic for where to search for the passphrase, instead of having to rely only on environment variables, as they won't be relative to the working directory. Or SSM and 1Password could be added to

pulumi login

, but it would be nice to have an easier integration point, without having to add support for all kinds of providers, as I'm sure some people use Bitwarden, Lastpass among others, and would be the next inline. 😄 Any thoughts? UPDATE: After a bit more thinking, I realized that

PULUMI_CONFIG_PASSPHRASE_FILE

, can be relative, but it does seem like a bit of a hack. 😅 Also I saw this PR, which would actually allow pretty much what I want, since the environment variable can point to a relative file. I mean, I'd like it to be built-in, but I can understand why it isn't.