witty-vegetable-61961
02/02/2022, 7:43 PMlittle-cartoon-10569
02/02/2022, 8:04 PMechoing-dinner-19531
02/02/2022, 8:20 PMfreezing-van-87649
02/02/2022, 9:12 PMwitty-vegetable-61961
02/02/2022, 10:30 PMechoing-dinner-19531
02/02/2022, 10:38 PMwitty-vegetable-61961
02/02/2022, 10:47 PMminiature-musician-31262
02/02/2022, 11:29 PMprocess.env.SOME_VAR
in the case of a Node.js program).
However, it’s common practice to store secret values as secrets (so in ciphertext) in your Pulumi.stackname.yaml files. You can do this by passing the --secret
CLI option as described here: https://www.pulumi.com/docs/intro/concepts/secrets/witty-vegetable-61961
02/02/2022, 11:33 PMminiature-musician-31262
02/02/2022, 11:38 PMagreeable-eye-87399
02/03/2022, 3:28 AMwitty-vegetable-61961
02/03/2022, 4:31 PMminiature-musician-31262
02/03/2022, 6:11 PMpulumi config set someKey someSecretValue --secret
with the appropriate stack selected, yes, to get the encrypted value into the config. Once that’s there, you can use (eg., in TS)
const config = new pulumi.Config();
const mySecret = config.requireSecret("someKey");
.. and then use mySecret
in your program in the normal way. Make sense?requireSecret
, Pulumi will track mySecret
as a secret throughout the life of the program. This is all explained in the secrets docs here: https://www.pulumi.com/docs/intro/concepts/secrets/#using-configuration-and-secrets-in-codewitty-vegetable-61961
02/03/2022, 8:45 PMminiature-musician-31262
02/03/2022, 8:53 PMpulumi config set
creates the config entry (and the stack file, if one doesn’t already exist), but does not persist the entry in the backend (i.e., the Pulumi Service) until you run an update with it. This is intentional and allows you to preview configuration changes without affecting any systems that have already been deployed.
I’m pretty sure this is mentioned in the docs, but it’s probably easy to miss. Lemme see.pulumi config set
all day long, but the value won’t be written to your stack’s state in the Service until you run pulumi up
.witty-vegetable-61961
02/03/2022, 9:25 PMlittle-cartoon-10569
02/03/2022, 9:27 PMpulumi config set
writes it to the config file. Are you looking in the correct one? It's always written to the stack file (Pulumi.<dev>.yml) and not the project file (Pulumi.yml).git status
, git diff
or similar. This is also handy for finding changes made by your package manager, code editor, etc.witty-vegetable-61961
02/03/2022, 10:34 PMlittle-cartoon-10569
02/03/2022, 11:15 PMwitty-vegetable-61961
02/03/2022, 11:18 PMlittle-cartoon-10569
02/03/2022, 11:49 PMwitty-vegetable-61961
02/03/2022, 11:49 PMechoing-dinner-19531
02/03/2022, 11:51 PMwitty-vegetable-61961
02/03/2022, 11:52 PM