Hi all - QQ: when running pulumi locally, and adding secrets to my `Pulumi.stack.yaml` config, what ...

bland-dinner-39530

05/13/2025, 6:50 PM

Hi all - QQ: when running pulumi locally, and adding secrets to my

Pulumi.stack.yaml

config, what key/phrase/secret is it using to encrypt the values in the yaml file? I have looked though

~/.config/pulumi

and i cant find anything that resembles a secret....would it be someone else on disk? is it a default? Thanks!

billowy-army-68599

05/13/2025, 6:51 PM

are you using the pulumi cloud backend or something else?

bland-dinner-39530

05/13/2025, 6:52 PM

right now I am doing

pulumi up

from the cli, so i assumed it was on disk, but yes, to your point, it it connected up to pulumi cloud but not using deployments or anything else

billowy-army-68599

05/13/2025, 6:53 PM

pulumi cloud handles the encryption for you. if you want to bring your own encryption, you can. use

pulumi stack change-secrets-provider

and you can use a passphrase or cloud KMS key, like AWS KMS

bland-dinner-39530

05/13/2025, 6:56 PM

cool, thank you. So I can answer my security team correctly tho, is there a place i can go in pulumi cloud and rotate a key? I am fine with pulumi cloud handling the encryption, i just need to know some specifics about it. I assume i can find that in the docs somewhere, so ill take a look

billowy-army-68599

05/13/2025, 6:56 PM

the key is fully managed by Pulumi, so you can’t change it or rotate it manually, no. if you need that capability, I’d recommend using your own keys

bland-dinner-39530

05/13/2025, 7:09 PM

very good, thanks for the info!

2 Views

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.