No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi all! I'm hoping someone could give me a quick sanity check before I file a bug report on something.
I've noticed that attributes of resources that contain a secret value are not encrypted in the stack when the parent resource is exported. However, individual references to that attribute as export _are_ encrypted. In both examples, the output is correctly masked. My expectation is that the secret never shows up in plaintext in the stack export in either case. Am I missing something?
```
import * as pulumi from "@pulumi/pulumi";
import * as docker from "@pulumi/docker";

const config = new pulumi.Config("secrets-demo");
const containerImage = config.requireSecret("containerImage");

// This exposes the secret in the stack export.
export const remoteImage = new docker.RemoteImage("myImage", {
  name: containerImage
});

const container = new docker.Container(
  "myContainer",
  {
    image: containerImage
  },
  {
    dependsOn: remoteImage
  }
);

// This correctly encrypts the secret.
export const imageName = remoteImage.name;
```

Sample stack contents (the secret value is `ubuntu:latest`):
```
            "resources": [
                {
                    "urn": "urn:pulumi:secrets-demo::secrets-demo::pulumi:pulumi:Stack::secrets-demo-secrets-demo",
                    "custom": false,
                    "type": "pulumi:pulumi:Stack",
                    "outputs": {
                        "imageName": {
                            "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
                            "ciphertext": "v1:+h6rqYSR0aiRoY1O:1UHiOwS37dSnyl8uKbzkICop1GwauKMSZ+fKxCxXNw=="
                        },
                        "remoteImage": {
                            "id": "sha256:7698f282e5242af2b9d2291458d4e425c75b25b0008c1e058d66b717b4c06fa9ubuntu:latest"
,
                            "latest": "sha256:7698f282e5242af2b9d2291458d4e425c75b25b0008c1e058d66b717b4c06fa9",
                            "name": "ubuntu:latest",
                            "urn": "urn:pulumi:secrets-demo::secrets-demo::docker:index/remoteImage:RemoteImage::myImage
"
                        }
                    }
                },
```

Sounds like a bug. Can you open an issue at <https://github.com/pulumi/pulumi> ?

Submitted as <https://github.com/pulumi/pulumi/issues/2862>

secrets that are supposed to be encrypted are being exposed in plain text

<@U87DZN4MT> <@UB3BGTV63> thanks for the quick fix on this issue!

We'll cut a release today to get updated ` @pulumi/pulumi` packages out there, you shouldn't need to update the CLI to get a fix.