No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Right now - you need to specifiy `additionalSecretOutputs` to ensure outputs are secret (unless they were also inputs which were provided a secret value).

<https://github.com/pulumi/pulumi-terraform-bridge/issues/10> will make it so that this additional annotation is not required, and "Sensitive" outputs from upstream providers will automatically be marked as secret.

<@UB3BGTV63>, this worked well for `random.RandomPassword` and `tls.PrivateKey` (which are from terraform modules), but didn't work for k8s.Secret. Any idea? Code:
```const vaultAuthAccount = new k8s.core.v1.ServiceAccount(
...

// read from created account token secret
export const vaultAuthToken64 = k8s.core.v1.Secret.get(
  "vault-auth-token",
  pulumi.interpolate`${vaultAuthAccount.metadata.namespace}/${vaultAuthAccount.secrets[0].name}`,
  {
      additionalSecretOutputs: ["data"]
  }
).data.apply(d =&gt; (d as { token: string }).token);```


looks like static method `get` of <https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/kubernetes/core/v1/#Secret> does not honor this option

mb there is some way to create secure `Output` from non-secure `Output`? I could use this as w/a.

Hmm - that doesn't sound right.  Could you open an issue with a report of that? (`get` not respecting this option).

&gt;  mb there is some way to create secure `Output` from non-secure `Output`?
Yeah - `pulumi.secret(output)` should work.

<https://github.com/pulumi/pulumi-kubernetes/issues/956>