Is it possible to use gcpkms as the secrets provider with the Automation API? I've got my project configured to use it (via the secretsProvider field in LocalWorkspaceOptions), but attempting to update a secret results in the following error:

stderr: error: passphrase must be set with PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE environment variables

This error doesn't make sense because those environment variables are not required for Stacks that use the gcpkms secrets provider.

What version of the CLI are you using? There was a bug fix in 3.2.1 concerning that env var, if you’re using 3.2.0 that might be what you’re running into

@red-match-15116 This is with v3.2.1 of the CLI and the pulumi library in nodejs.

Got it. So, to answer your original question, i.e.

Is it possible to use gcpkms as the secrets provider with the Automation API?

The answer is if it works with the Pulumi CLI it should work with automation API. My guess is that something is probably misconfigured and the secret provider isn’t plumbing through properly. You’ll have to share your code if you want more direction but in general this example and the secrets page should lead you to the happy path.

@red-match-15116 Thanks. I had been using that example as a reference, but was omitting the 'stackSettings' section because it seemed redundant -- the secretsProvider was already specified in opts. Once I included the 'stackSettings' section, the env var errors went away. (Why does it need a per-stack secrets provider and ignore the main one in opts?) However, there are still some issues. Maybe I'm just not understanding how this is supposed to behave when using the Automation API. • There is no stack config yaml generated. • The backend stack data does not contain the config secret that I'm setting programatically. Here's my code:

const secretsProvider = '<gcpkms://projects/xxxxx/locations/global/keyRings/yyyyy/cryptoKeys/zzzzz>';
const stack = await LocalWorkspace.createOrSelectStack(
    {
        stackName: this.stackName,
        projectName: 'pulumi-deployment',
        program: async () => console.log('Program started'),
    },
    {
        secretsProvider,
        workDir: __dirname,
        projectSettings: {
            name: 'pulumi-deployment',
            runtime: 'nodejs',
            backend: {
                url: '<gs://xxxxx/deployment>',
            },
        },
        stackSettings: {
            [this.stackName]: {
                secretsProvider,
            },
        },
    }
);
await stack.setConfig('test', {
    value: 'yes',
    secret: true,
});

(Why does it need a per-stack secrets provider and ignore the main one in opts?)

Yeah that is indeed odd. Feel free to leave some comments here: https://github.com/pulumi/pulumi/issues/5432

There is no stack config yaml generated.

I think you’ll actually have to run

LocakWorkspace.saveStackSettings()

for this.

The backend stack data does not contain the config secret that I’m setting programatically.

I believe this only happens once you run

up