👋 Quick question, is it possible to use a k8s secret to get a vault token and use that in a provider? In theory it seems to be yes, but vault is giving 403 during the preview step (which makes sense as that secret likely hasn't been fetched yet)

You want to construct a provider using a value stored in the cloud? You'll have to fetch that value yourself using another SDK, or at least another provider that doesn't depend on the value stored remotely.

You want to do this all in one Pulumi program? It's a bit odd because we expect provider config to be known values, but you could wrap a load of program inside an apply call such that it only runs once the secret is made. Does mean preview won't be able to show you what's going to happen. I'd think this is probably better done as one Pulumi program to make the secret and then using a stack reference in a second program to get hold of it.

Gotcha, I'll take a deeper look into Stack References; the secret is initially created from a sidecar I'm using to auto initialize vault (which also creates the secret), which may be a deeper anti-pattern, as this is my first foray into kubernetes in general

That sounds like a reasonable flow but I don't know Vault very well. I'll ask internally if we've got good examples of using vault to set up other providers.

Any examples pop up?

No 😞 I've bumped the question inside again.

Thank you!

So long as the vault isn't managed from within the same Pulumi program, this will work. Do you have some failing code you'd like to share?