No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Could a Pulumi employee comment on this? Thanks.

Hi Chris, sorry i missed this. for questions like this, its better to email <mailto:support@pulumi.com|support@pulumi.com> - i dont have an answer offhand as i dont have production access. we have security whitepapers and other information we can share via your account executive

<@UCWG26BH7> OK, sounds good; thanks for the pointer!

Just to close the loop, in case others have the same question come across this thread in the future, here is the reply from Support:
&gt; Pulumi engineers carrying out on call shifts have access to the production environment that contains KMS keys used to encrypt secrets. Access to this environment is tracked and audited.

The full response:

&gt; Pulumi engineers carrying out on call shifts have access to the production environment that contains KMS keys used to encrypt secrets. Access to this environment is tracked and audited. You can use an alternative encryption provider with the Pulumi Service and manage the keys yourself. In this case, your encryption keys are fully managed by you and never stored within pulumi production environments. See: <https://www.pulumi.com/docs/intro/concepts/secrets/#initializing-a-stack-with-alternative-encryption>
