This message was deleted.

https://blog.pulumi.com/managing-secrets-with-pulumi -- should answer all your questions

thanks @narrow-area-11460! so if im reading this correctly, pulumi console CAN store AWS/cloud credentials but they are encrypted/hashed/other protections are applied to them?

The Pulumi console does not need your AWS credentials. All of your deployments to AWS are done in the environments where you run the

pulumi

CLI - typically your CI/CD or deployment systems (or developer desktops). These credentials are used to talk to AWS, but never passed to Pulumi. The Pulumi console manages storage of the state file used to keep track of what resources are under management. Any secrets that may end up there (inputs or outputs to individual resources) can be fully encrypted as needed per the post @narrow-area-11460 references.

@hundreds-coat-15657 -- encryption is built-in in Pulumi service yes. I do not believe you need to bring your own custom key at this point for encryption? Did I understand that right?

@white-balloon-205 that makes sense, thanks so tldr is pulumi doesnt store creds directly but if creds are passed to the pulumi state files that end up on pulumis servers, those creds can be encrypted as needed

as @white-balloon-205 said AWS creds are not passed to the service and are not stored in the service. But if you pass a "secret" as part of the local configuration from the CLI, then it is encrypted and then this "secret" can be used in your Pulumi program to create resources in the cloud.