Hello Everyone, I just started a GCP pulumi project in python, and I actually have a secrets_provider issue that I fail to adresse by myself, so i'm seeking for help (don't know if this is the relevant channel or not). To give a little bit of context, I use a custom backend (a GCP bucket), and GCPKMS as a secret provider, I have a first project (let's call it project A), with only one stack, that setup several GCP ressources (including several services account with relevant roles). I then have another project (B), that use the same backend to store the pulumi state (the same GCP bucket as project A), but a different GCPKMS key as secrets provider (which is also stored in a different gcp project). The issue is that within project B, I am trying to access a ressource (a service account email address) created by project A by using a StackReference, and the get_output function. When I run this locally with my account that has access to both the secrets_provider of project A and project B, everything runs well. When I run this within Github Action (with a service account that only has access to the secrets_provider of project B), I have the following error (for confidentialy I replaced the name of the GCP KMS ressource of project A by XXX):

pulumi:pulumi:StackReference (organization/project_a/prod):
      error: constructing secrets manager of type "cloud": secrets (code=PermissionDenied): rpc error: code = PermissionDenied desc = Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource 'XXX' (or it may not exist).

Am i forced to used the same secrets_provider accross projects, even if the information that I want to share across project is not encrypted? Thanks a lot for your help

It does look like the invoking project does need access to all keys. This may be a bug, or an unavoidable result of the current implementation. If it's not feasible to grant access to A's key to the relevant action, then you could change the implementation of A to push the secret values to a shared key store, vault or other secret manager, to which you can grant access to all services that need it.

Thanks for your answar. At this stage i don't have any secret that should be kept from B, so i ended up using the same secrets_provider, but in the near future I will need to keep things separate. Is it relevant for me to open a github issue to further look into that ? That seems to be an issue with the current implementation

That would be the best way to at least get an official answer from Pulumi. And maybe to get it changed.