been out of Pulumi for a bit but getting back in! is there or is there planned support storing stack config (especially encrypted stack values) in a remote backend? Like S3 bucket, Pulumi hosted etc? We have constraints on storing secrets in git (even if encrypted inside of a pulumi stack file)

can you elaborate a bit more on this?

yeah so like we want to say store API keys, etc in the pulumi stack config. But that stack file lives in git. And we can't have secrets in git (encrypted or otherwise). Looking at options. I know we can dynamically retrieve the stack config from the Pulumi API (if memory serves)

this is the default, you can also use an aws kms key

we will probably push back because seeing/working with the stack file would be easier. Our use case is driving automation of AWS Secrets Manager provisioning and storing the secret material (that will populate secrets manager) in encrypted pulumi stack config objects

just pass

--secret

when setting the value

right - but the encrypted value is still in git because the pulumi-stack.yaml is in the repo

oh, yes. you don't even want encrypted values in there? I'd push them to secrets manager and not use config at all, in that case

it's chicken and egg issues.....secret has to come from somewhere

we only support configuration in the stack config at the moment

roger

Have you thought about using something like https://github.com/mozilla/sops for bootstrap secrets like that? They could be stored in git and with automation-api, decrypted and set in SSM or something.

we’ve used sops before. Handy tool for encrypting files, but this is not an approved method for storing secrets. Can’t approved secret stores are bespoke internal thing, vault, and aws secrets manager. Since all of our infra is in AWS it seems to make sense to use Secrets Manager.