https://pulumi.com logo
Join Slack
Powered by
Hi, I'm trying to work with secrets on the Project...
# general
p
Hi, I'm trying to work with secrets on the Project level. I've seen this documentation: https://www.pulumi.com/blog/project-config-mvp/ However there is no information on the secrets and I cant figure out how to work with the Project level config (Pulumi.yaml) via 
pulumi config
commands, so what I did was that I created a stack, moved the encryption related blocks to the Pulumi.yaml as well as the secrets, where I simply added the 
value:
block to the secrets and unsurprisingly, the 
pulumi config get ...
command crashes. Attached image shows what the Pulumi.yaml looks like and the crash looks like this (I'd post it as a GH issue, but it does feel like its my fault):
Copy code
================================================================================
The Pulumi CLI encountered a fatal error. This is a bug!
We would appreciate a report: <https://github.com/pulumi/pulumi/issues/>
Please provide all of the text below in your report.
================================================================================
Pulumi Version:   v3.185.0
Go Version:       go1.24.5
Go Compiler:      gc
Architecture:     amd64
Operating System: windows
Panic:            attempt to decrypt value

goroutine 1 [running]:
runtime/debug.Stack()
        runtime/debug/stack.go:26 +0x5e
main.panicHandler(0xc000f55f1f)
        <http://github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/main.go:37|github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/main.go:37> +0x45
panic({0x294d2a0?, 0x36d41d0?})
        runtime/panic.go:792 +0x132
<http://github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.panicCrypter.DecryptValue(...)|github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.panicCrypter.DecryptValue(...)>
        <http://github.com/pulumi/pulumi/sdk/v3@v3.184.0/go/common/resource/config/crypt.go:125|github.com/pulumi/pulumi/sdk/v3@v3.184.0/go/common/resource/config/crypt.go:125>
<http://github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.object.decrypt({{0x294d2a0|github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.object.decrypt({{0x294d2a0>?, 0xc001c270f0?}, 0x59?}, {0x3701038, 0x4ecd580}, {0x0, 0x0, 0x0}, {0x29c6a23bff8, 0x4ecd580})    
        <http://github.com/pulumi/pulumi/sdk/v3@v3.184.0/go/common/resource/config/object.go:96|github.com/pulumi/pulumi/sdk/v3@v3.184.0/go/common/resource/config/object.go:96> +0xfa
<http://github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.object.Decrypt(...)|github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.object.Decrypt(...)>
        <http://github.com/pulumi/pulumi/sdk/v3@v3.184.0/go/common/resource/config/object.go:79|github.com/pulumi/pulumi/sdk/v3@v3.184.0/go/common/resource/config/object.go:79>
<http://github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.Value.Value({{0xc001bf5b00|github.com/pulumi/pulumi/sdk/v3/go/common/resource/config.Value.Value({{0xc001bf5b00>?, 0x2be8480?}, 0x5?, 0x0?, 0xc000054156?}, {0x29c6a23bff8, 0x4ecd580})
        <http://github.com/pulumi/pulumi/sdk/v3@v3.184.0/go/common/resource/config/value.go:70|github.com/pulumi/pulumi/sdk/v3@v3.184.0/go/common/resource/config/value.go:70> +0xc5
<http://github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/config.getConfig({0x3701000|github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/config.getConfig({0x3701000>, 0x4ecd580}, {0x370c2d0, 0xc001974330}, {0x0}, {0x36eccc8?, 0x4ecd580?}, {0x370e140, 0xc001bba870}, {{0xc000054150, ...}, ...}, ...)
        <http://github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/config/config.go:1141|github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/config/config.go:1141> +0x7ab
<http://github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/config.newConfigGetCmd.func1(0xc001b15808|github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/config.newConfigGetCmd.func1(0xc001b15808>?, {0xc001a3a730, 0x1, 0x2eeabe2?})
        <http://github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/config/config.go:309|github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/config/config.go:309> +0x2cb
<http://github.com/spf13/cobra.(*Command).execute(0xc001b15808|github.com/spf13/cobra.(*Command).execute(0xc001b15808>, {0xc001a3a700, 0x1, 0x1})
        <http://github.com/spf13/cobra@v1.8.0/command.go:983|github.com/spf13/cobra@v1.8.0/command.go:983> +0xad4
<http://github.com/spf13/cobra.(*Command).ExecuteC(0xc001b14f08)|github.com/spf13/cobra.(*Command).ExecuteC(0xc001b14f08)>
        <http://github.com/spf13/cobra@v1.8.0/command.go:1115|github.com/spf13/cobra@v1.8.0/command.go:1115> +0x44f
<http://github.com/spf13/cobra.(*Command).Execute(...)|github.com/spf13/cobra.(*Command).Execute(...)>
        <http://github.com/spf13/cobra@v1.8.0/command.go:1039|github.com/spf13/cobra@v1.8.0/command.go:1039>
main.main()
        <http://github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/main.go:64|github.com/pulumi/pulumi/pkg/v3/cmd/pulumi/main.go:64> +0x65
g
That wont work because secrets are encrypted with a per stack key. Have you seen this: https://www.pulumi.com/blog/2022-03-10-hierarchical-config/ Global secrets is a use-case better addressed by ESC.
p
And is there any way to make it work? I would ideally want to have the secret provider set on the Project level as well as some of the secrets there.
g
I am not aware of way to make that work given how secrets are currently encrypted. There is an issue tracking this capability for those opting to not use ESC: https://github.com/pulumi/pulumi/issues/11549
p
thanks
Open in Slack
PreviousNext
Powered by