Hello everyone! 👋 I created my first stack on aws with Pulumi and everything went smoothly, resources are online and not having to deal with the AWS console everytime is super nice 😄 after that I wanted to use my S3 bucket as a pulumi backend (my Idea is to be able to manage the infrastructure from both my laptop and desktop). I was able to export the stack, then when I tried to import it after logging into the s3 backend, the cli correctly warned me about deserialization issues with

error: could not deserialize deployment: constructing secrets manager of type "service": could not find access token for <https://api.pulumi.com>, have you logged in?

, according to the doc i have to use

pulumi stack change-secrets-provider "<awskms://alias/keyalias?region=myregion>"

. Now, I must be doing something wrong in this part, but I can’t seem to figure it out: I created a Symmetric key (trying with an asymmetric throws

InvalidKeyUsageException

, copied the alias and used the change-secrets-provider command, but i get the following output: (I’m sure the alias is correct, I also tried using the keyId instead of the alias, but i get the same error. I tried with and without passing the region param)

Migrating old configuration and state to new secrets provider
I1006 09:53:48.314796   39657 sink.go:154] defaultSink::Error(error: bad value
<http://github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.symmetricCrypter.DecryptValue|github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.symmetricCrypter.DecryptValue>
	/private/tmp/pulumi-20210928-78813-8xkwft/sdk/go/common/resource/config/crypt.go:158
<http://github.com/pulumi/pulumi/pkg/v3/resource/stack.(*cachingCrypter).DecryptValue|github.com/pulumi/pulumi/pkg/v3/resource/stack.(*cachingCrypter).DecryptValue>
	/private/tmp/pulumi-20210928-78813-8xkwft/pkg/resource/stack/secrets.go:129
<http://github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.Value.Value|github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.Value.Value>
	/private/tmp/pulumi-20210928-78813-8xkwft/sdk/go/common/resource/config/value.go:74
<http://github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.Value.Copy|github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.Value.Copy>
	/private/tmp/pulumi-20210928-78813-8xkwft/sdk/go/common/resource/config/value.go:79
<http://github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.Map.Copy|github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.Map.Copy>
	/private/tmp/pulumi-20210928-78813-8xkwft/sdk/go/common/resource/config/map.go:49
main.migrateOldConfigAndCheckpointToNewSecretsProvider
	/private/tmp/pulumi-20210928-78813-8xkwft/pkg/cmd/pulumi/stack_change_secrets_provider.go:125
main.newStackChangeSecretsProviderCmd.func1
	/private/tmp/pulumi-20210928-78813-8xkwft/pkg/cmd/pulumi/stack_change_secrets_provider.go:102
<http://github.com/pulumi/pulumi/sdk/v3/go/common/util/cmdutil.RunFunc.func1|github.com/pulumi/pulumi/sdk/v3/go/common/util/cmdutil.RunFunc.func1>
	/private/tmp/pulumi-20210928-78813-8xkwft/sdk/go/common/util/cmdutil/exit.go:96
<http://github.com/pulumi/pulumi/sdk/v3/go/common/util/cmdutil.RunResultFunc.func1|github.com/pulumi/pulumi/sdk/v3/go/common/util/cmdutil.RunResultFunc.func1>
	/private/tmp/pulumi-20210928-78813-8xkwft/sdk/go/common/util/cmdutil/exit.go:112
<http://github.com/spf13/cobra.(*Command).execute|github.com/spf13/cobra.(*Command).execute>
	/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/spf13/cobra@v1.0.0/command.go:846
<http://github.com/spf13/cobra.(*Command).ExecuteC|github.com/spf13/cobra.(*Command).ExecuteC>
	/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/spf13/cobra@v1.0.0/command.go:950
<http://github.com/spf13/cobra.(*Command).Execute|github.com/spf13/cobra.(*Command).Execute>
	/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/spf13/cobra@v1.0.0/command.go:887
main.main
	/private/tmp/pulumi-20210928-78813-8xkwft/pkg/cmd/pulumi/main.go:48
runtime.main
	/usr/local/Cellar/go/1.17.1/libexec/src/runtime/proc.go:255
runtime.goexit
	/usr/local/Cellar/go/1.17.1/libexec/src/runtime/asm_amd64.s:1581
)

are you trying to migrate from PulumiService to S3 backend? I did this without changing secrets provider, instead I ran

pulumi stack export --show-secrets

and removed secrets provider form the state, then imported it and configured secrets provider.

Yes I’m trying to migrate and your solution works perfectly! Thank you so much! 🙏 I did not think of inspecting the exported state file 😞