Hi all! I'm hoping someone could give me a quick s...
# general
Hi all! I'm hoping someone could give me a quick sanity check before I file a bug report on something. I've noticed that attributes of resources that contain a secret value are not encrypted in the stack when the parent resource is exported. However, individual references to that attribute as export are encrypted. In both examples, the output is correctly masked. My expectation is that the secret never shows up in plaintext in the stack export in either case. Am I missing something?
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as docker from "@pulumi/docker";

const config = new pulumi.Config("secrets-demo");
const containerImage = config.requireSecret("containerImage");

// This exposes the secret in the stack export.
export const remoteImage = new docker.RemoteImage("myImage", {
  name: containerImage

const container = new docker.Container(
    image: containerImage
    dependsOn: remoteImage

// This correctly encrypts the secret.
export const imageName = remoteImage.name;
Sample stack contents (the secret value is
Copy code
"resources": [
                    "urn": "urn:pulumi:secrets-demo::secrets-demo::pulumi:pulumi:Stack::secrets-demo-secrets-demo",
                    "custom": false,
                    "type": "pulumi:pulumi:Stack",
                    "outputs": {
                        "imageName": {
                            "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
                            "ciphertext": "v1:+h6rqYSR0aiRoY1O:1UHiOwS37dSnyl8uKbzkICop1GwauKMSZ+fKxCxXNw=="
                        "remoteImage": {
                            "id": "sha256:7698f282e5242af2b9d2291458d4e425c75b25b0008c1e058d66b717b4c06fa9ubuntu:latest"
                            "latest": "sha256:7698f282e5242af2b9d2291458d4e425c75b25b0008c1e058d66b717b4c06fa9",
                            "name": "ubuntu:latest",
                            "urn": "urn:pulumi:secrets-demo::secrets-demo::docker:index/remoteImage:RemoteImage::myImage
cc @gentle-diamond-70147
Sounds like a bug. Can you open an issue at https://github.com/pulumi/pulumi ?
Thanks. I'll open a bug report.
cc @big-piano-35669
secrets that are supposed to be encrypted are being exposed in plain text
I've escalated internally as well.
👍 thanks
@bitter-oil-46081 @white-balloon-205 thanks for the quick fix on this issue!
We'll cut a release today to get updated
packages out there, you shouldn't need to update the CLI to get a fix.
👍 2