No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

yeah so like we want to say store API keys, etc in the pulumi stack config.  But that stack file lives in git.  And we can't have secrets in git (encrypted or otherwise). Looking at options.  I know we can dynamically retrieve the stack config from the Pulumi API (if memory serves)

this is the default, you can also use an aws kms key

<https://www.pulumi.com/docs/intro/concepts/secrets/>

we will probably push back because seeing/working with the stack file would be easier.  Our use case is driving automation of AWS Secrets Manager provisioning and storing the secret material (that will populate secrets manager) in encrypted pulumi stack config objects

just pass `--secret` when setting the value

right - but the encrypted value is still in git because the pulumi-stack.yaml is in the repo

oh, yes. you don't even want encrypted values in there? I'd push them to secrets manager and not use config at all, in that case

it's chicken and egg issues.....secret has to come from somewhere

we are hoping to leverage Pulumi for it because it's nicely integrated

we only support configuration in the stack config at the moment

ok - will talk with the team and see if we can come up with some alternatives

Have you thought about using something like <https://github.com/mozilla/sops> for bootstrap secrets like that?  They could be stored in git and with automation-api, decrypted and set in SSM or something.

I was going to go the sops route but the company I work for has 1password and will probably use that for bootstrap secrets.  Found a handy c# lib that makes is easy.

we’ve used sops before. Handy tool for encrypting files, but this is not an approved method for storing secrets. Can’t approved secret stores are bespoke internal thing, vault, and aws secrets manager. Since all of our infra is in AWS it seems to make sense to use Secrets Manager.