No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Is it just me, or unsecret isn't doing anything?

can you give an example? I’m not 100% sure?

```pulumi.unsecret(cfg.requireSecret('password')).apply(<http://pulumi.log.info|pulumi.log.info>);```
results with [secret]

I’ve hit this myself. It’s working, but the CLI will essentially _never_ emit a secret value, even one that’s been unwrapped, because all secret values are masked as `[secret]` . I’ll see if I can dig up a reference for you.

Ok, my question was asked and answered in another Slack, so I can’t link directly to it, but the gist is that the CLI masks all secret config with `[secret]` : <https://github.com/pulumi/pulumi/blob/master/pkg/engine/events.go#L208-L225>

But secret values used as inputs are unwrapped anyway. What’s the purpose of explicit unwrap?

image.png

TBH, I don’t have a use case off the top of my head, but I’m sure someone else could come up with one. :slightly_smiling_face: One thing that might be relevant is that only explicitly unwrapped secrets are surfaceable as plain text in checkpoint (state) files — e.g., given the following code:

But you’re right that you’re generally able to extract a raw string, write that string to a file, etc., without having to explicitly unwrap it. I suspect there are cases where unsecret is either useful or necessary — I just haven’t yet hit one myself. :slightly_smiling_face: Hope this helps, though!

I guess I’m looking for
```pulumi output --show-secrets```


oh, yes! if you’ve defined secrets as outputs, then you can absolutely do this. :slightly_smiling_face: