Hello everyone 🙂 I am currently working with the pulumi rest api to provide data to a cli script. I query

api/stacks/<org>/<project>/<stack>/export

to get a stacks output. Some of those outputs are encrypted, and i need a way to decrypt those for my script. Is there a way to decrypt the encrypted outputs of a stack/export rest api call without using the pulumi cli/sdk? Can you point me to documenation for this use case?

Pulumi service is used as a default provider, I'm not sure you can call the service directly but what you can do is to use a different secrets provider service eg. AWS KMS / Hashi Vault and then call that https://www.pulumi.com/docs/intro/concepts/secrets/#configuring-secrets-encryption

Yes, I had that idea too, but I dont think this would be an acceptable solution. Currently I see no way other than spawning a child process, call pulumi cli and interpret the stdout, even tough i wanted to avoid installing the pulumi cli

I keep asking the service team for an openapi spec of the service to point people to, would make these questions easier. There is a decrypt endpoint you can hit, gimme a minute I'll go dig it out.

thank you!

hmm I'm pretty sure that's the right url, https://github.com/pulumi/pulumi/blob/master/pkg/backend/httpstate/client/client.go#L410 It might be because you don't have the correct auth token set, or did a GET instead of POST?

ah!

This is why we need an openapi spec 😆

thank you