Hi! Hoping the Pulumi hive mind can help me here. A while back I created a stack using a KMS key as the secrets manager. I removed all the stack resources, but didn’t delete the stack itself. Fast forward a few months and I replaced the KMS key that I’d used, but reused the same alias. Now, when I try to remove the stack created with the old KMS key (but same alias), I get:

error: constructing secrets manager of type "cloud": secrets (code=Unknown): AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
	status code: 400, request id: bda7408f-f87b-43a1-86bd-bf0671c0346d

I have no issues creating/removing a new stack with the same KMS alias as the backing key still exists. Any idea how I can remove that stack? I can just nuke it from the state bucket, but I’m wondering if there’s a more idiomatic way.

Presumably the original key still exists? I think that without it, you won't be able to do anything except destroy the state file. Assuming you do have the original key, you should be able to change the secrets provider key to refer to the key by ID instead of alias. There's more information here: https://www.pulumi.com/docs/intro/concepts/secrets/#aws-key-management-service-kms You can pass the key reference on the command line (

--secrets-provider

) or override the value in the Pulumi.yaml file (or is it in the Pulumi.<stack>.yaml file? I forget).

Thanks @little-cartoon-10569, that’s what I suspected. 😞 I think I nuked the key (and I didn’t notice until now, so I think the pending deletion was set to 7 days or something).. Not a big deal, this was our dev account.