I'm using Automation API and attempting to set KMS as the secrets provider. I thought this was being done but looking at the stack metadata in S3 I'm seeing

"secrets_providers": {"type": "passphrase",...

I'm also being prompted for

PULUMI_CONFIG_PASSPHRASE

which is what started me along this journey... Can somebody tell me what I'm missing? Here's my code:

backend_url = f"s3://{backend_bucket}"
secrets_provider = f"<awskms://alias/{kms_alias_name}>"
project_settings=auto.ProjectSettings(
    name='test',
    runtime="python",
    backend={"url": backend_url}
)
stack_settings=auto.StackSettings(
   secrets_provider=secrets_provider)
stack = auto.create_or_select_stack(stack_name='dev',
                                    project_name='test',
                                    program=pulumi_program,
                                    opts=auto.LocalWorkspaceOptions(project_settings=project_settings,
                                                                    stack_settings={'dev': stack_settings}))
print("successfully initialized stack")

you’ll have to pass in the secrets provider to the create_or_select_stack call too. Here’s a typescript example for reference: https://github.com/pulumi/automation-api-examples/blob/main/nodejs/inlineSecretsProvider-ts/index.ts#L92 (unfortunately needs to be specified both as stack settings and to the createOrSelect call)

awesome, thanks!