No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

hey there! How are you reading the file from within Pulumi? You can use standard sops libraries with Pulumi, for example: <https://github.com/koblas/sops-decoder-node>

Then pass that value to your Pulumi program. Pulumi also has secrets encryption built in, tht might make it easier

<@UCWG26BH7> reading SOPS programmatically is not a problem. The problem is that I can't set the properties of Pulumi after it started to execute... i.e. I can't set values in `pulumi.Config`

I was trying to use `--config-file` of Pulumi with SOPS, but Pulumi won't read the file as the file has no extension.

ah i see. How are you decrypting your sops file? I think you'd have to use `sops -d &gt; foo.yaml` and then do `pulumi up --config-file foo.yaml`

I'm curious why you're trying to encrypt your pulumi config with sops though, is there a reason for that?

<@UCWG26BH7> SOPS will be our tool for secrets in general. We'll not only use with Pulumi, but for applications that we build as well, and we want to keep it consistent instead of using SOPS for some things and pulumi secrets for other things.

Anyway, the `sops -d` idea is good. I'll try that out... I initially wanted to do the "safer" usage of SOPS which only allows to read the secrets file and by using `sops -d` I'll have a file in disk which can be read multiple times. But as the this will only exist temporarily inside of the pipeline, I think I don't need to be as concerned as I was when I'm using SOPS with applications.

Even then, it would be nice if, when the file has no extension, that pulumi attempts to parse the file as `json` and as `yaml` before failing.

<@UCWG26BH7> this is what I was trying to use before and doesn't work btw:

```sops exec-file sops.yaml 'pulumi up --config-file {}'```
my guess at the moment is that it's because the temp file generated by SOPS is not having an extension.

<@UCWG26BH7> it could be that there's a bug in Pulumi. It's not able to read the `fifo` generated by `sops` at all. Now that <https://github.com/mozilla/sops/pull/761> is merged, I was able to set the `--filename` which gives me a filename like `/tmp/.sops331513118/xpto.yaml.` . I expected pulumi to read it, but it hangs when I use the `--config-file` flag.