No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

What version of the CLI are you using? There was a bug fix in 3.2.1 concerning that env var, if you’re using 3.2.0 that might be what you’re running into

<@U01038HJ93R> This is with v3.2.1 of the CLI and the pulumi library in nodejs.

Got it. So, to answer your original question, i.e.
&gt; Is it possible to use gcpkms as the secrets provider with the Automation API?
The answer is if it works with the Pulumi CLI it should work with automation API.

My guess is that something is probably misconfigured and the secret provider isn’t plumbing through properly. You’ll have to share your code if you want more direction but in general <https://github.com/pulumi/automation-api-examples/blob/main/nodejs/inlineSecretsProvider-ts/index.ts#L74-L98|this example> and the <https://www.pulumi.com/docs/intro/concepts/secrets/#google-cloud-key-management-service-kms|secrets page> should lead you to the happy path.

<@U01038HJ93R> Thanks. I had been using that example as a reference, but was omitting the 'stackSettings' section because it seemed redundant -- the secretsProvider was already specified in opts. Once I included the 'stackSettings' section, the env var errors went away. (Why does it need a per-stack secrets provider and ignore the main one in opts?)
However, there are still some issues. Maybe I'm just not understanding how this is supposed to behave when using the Automation API.
• There is no stack config yaml generated.
• The backend stack data does not contain the config secret that I'm setting programatically.
Here's my code:
```const secretsProvider = '<gcpkms://projects/xxxxx/locations/global/keyRings/yyyyy/cryptoKeys/zzzzz>';
const stack = await LocalWorkspace.createOrSelectStack(
    {
        stackName: this.stackName,
        projectName: 'pulumi-deployment',
        program: async () =&gt; console.log('Program started'),
    },
    {
        secretsProvider,
        workDir: __dirname,
        projectSettings: {
            name: 'pulumi-deployment',
            runtime: 'nodejs',
            backend: {
                url: '<gs://xxxxx/deployment>',
            },
        },
        stackSettings: {
            [this.stackName]: {
                secretsProvider,
            },
        },
    }
);
await stack.setConfig('test', {
    value: 'yes',
    secret: true,
});```

&gt; (Why does it need a per-stack secrets provider and ignore the main one in opts?)
Yeah that is indeed odd. Feel free to leave some comments here: <https://github.com/pulumi/pulumi/issues/5432>

&gt; There is no stack config yaml generated.
I think you’ll actually have to run `LocakWorkspace.saveStackSettings()` for this.

&gt; The backend stack data does not contain the config secret that I’m setting programatically.
I believe this only happens once you run `up`