No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hello :slightly_smiling_face:
I have a question about masking secrets in the pulumi preview output :
We create an AWS secret and I don't want the "secret_string" value to be shown in the pulumi preview output. How can I do that ?

Python pulumi code :
```secret_version = aws.secretsmanager.SecretVersion(f"aws_secretversion_{secret_name}", secret_id=secret.id, secret_string=json.dumps(secret_value))```
Pulumi preview output :
```[urn=urn:pulumi:dev::snowflake::aws:secretsmanager/secretVersion:SecretVersion::aws_secretversion_snowflake/user/dev_usr_finops_api]
         [provider=urn:pulumi:dev::snowflake::pulumi:providers:aws::default_4_38_1::04da6b54-80e4-46f7-96ec-b56ff0331ba9]
         secretId    : output&lt;string&gt;
         secretString: (json) {
             password         : "nDXw\"&gt;)ElJK=D+4$IvyJoBrbXR.LNF"
             username         : "TEST"
         }```


In the `opts` for the resource declaration:
```  { additionalSecretOutputs: ["secretString"] },```

But it didn't work :
Pulumi code :
```aws.secretsmanager.SecretVersion(
f"aws_secretversion_{secret_name}",
secret_id=secret.id,            secret_string=json.dumps(secret_value),             opts=ResourceOptions(additional_secret_outputs=["secretString"]))```
(I've tried with "secret_string" instead of secretString, same situation)

Pulumi preview :
```aws:secretsmanager/secretVersion:SecretVersion: (create)
        [urn=urn:pulumi:dev::snowflake::aws:secretsmanager/secretVersion:SecretVersion::aws_secretversion_snowflake/user/dev_usr_finops_api]
        [provider=urn:pulumi:dev::snowflake::pulumi:providers:aws::default_4_38_1::04da6b54-80e4-46f7-96ec-b56ff0331ba9]
        secretId    : output&lt;string&gt;
        secretString: (json) {
            password         : "3BY,&amp;LwsG__\\=)0/MUch[Te=J)zh[5"
            username         : "TEST"
        }```
Am i missing something ?

That looks like a bug, can you raise an issue at <http://github.com/pulumi/pulumi|github.com/pulumi/pulumi> so we can track that? Setting additional secret outputs should be sufficient to get that masked as [secret]

Thanks <@U02J3T6A8LB>, I opened an issue : <https://github.com/pulumi/pulumi/issues/9581>