No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Pulumi service is used as a default provider, I'm not sure you can call the service directly but what you can do is to use a different secrets provider service eg. AWS KMS / Hashi Vault and then call that <https://www.pulumi.com/docs/intro/concepts/secrets/#configuring-secrets-encryption>

Yes, I had that idea too, but I dont think this would be an acceptable solution.
Currently I see no way other than spawning a child process, call pulumi cli and interpret the stdout, even tough i wanted to avoid installing the pulumi cli

I keep asking the service team for an openapi spec of the service to point people to, would make these questions easier.
There is a decrypt endpoint you can hit, gimme a minute I'll go dig it out.

POST to `api/{organization}/{project}/{stack}/decrypt` with an object with one field `ciphertext` which is the base64 encoding of the bytes of the secret

hmm I'm pretty sure that's the right url, <https://github.com/pulumi/pulumi/blob/master/pkg/backend/httpstate/client/client.go#L410>
It might be because you don't have the correct auth token set, or did a GET instead of POST?

oh wait! silly me I missed a part of the url `api/stacks/{organization}/{project}/{stack}/decrypt`

This is why we need an openapi spec :laughing:

ok, i receive some value now :slightly_smiling_face: