No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

can you give an example? I’m not 100% sure?

```pulumi.unsecret(cfg.requireSecret('password')).apply(<http://pulumi.log.info|pulumi.log.info>);```
results with [secret]

I’ve hit this myself. It’s working, but the CLI will essentially _never_ emit a secret value, even one that’s been unwrapped, because all secret values are masked as `[secret]` . I’ll see if I can dig up a reference for you.

Ok, my question was asked and answered in another Slack, so I can’t link directly to it, but the gist is that the CLI masks all secret config with `[secret]` : <https://github.com/pulumi/pulumi/blob/master/pkg/engine/events.go#L208-L225>

But secret values used as inputs are unwrapped anyway. What’s the purpose of explicit unwrap?

image.png

TBH, I don’t have a use case off the top of my head, but I’m sure someone else could come up with one. :slightly_smiling_face: One thing that might be relevant is that only explicitly unwrapped secrets are surfaceable as plain text in checkpoint (state) files — e.g., given the following code:

But you’re right that you’re generally able to extract a raw string, write that string to a file, etc., without having to explicitly unwrap it. I suspect there are cases where unsecret is either useful or necessary — I just haven’t yet hit one myself. :slightly_smiling_face: Hope this helps, though!

I guess I’m looking for
```pulumi output --show-secrets```


oh, yes! if you’ve defined secrets as outputs, then you can absolutely do this. :slightly_smiling_face: