Hello, quick question and sorry if this has been asked before: Do Pulumi employees have access to the following sensitive information? 1. state file contents 2. Pulumi secret contents Thank you in advance.

As far as I know, no, but I'm grabbing someone else who has more Pulumi background to help answer any concerns. Hang tight!

Hi @jolly-alligator-19698 just to summarize here: • We do store your state files when you use the Pulumi service • Certain users with production access can view those state files, this access is audited • State is encrypted by a per project key. the default encryption mechanism provisions a key for you in the service • if you want to maintain full control over encryption, you can encrypt your stacks using an external key service, like AWS KMS, Google Cloud KMS, Azure KeyVault or hashicorp vault • if you use this mechanism, no Pulumi user will be able to view your secrets at all

Thanks @billowy-army-68599!

@jolly-alligator-19698 any property marked as "secret" will be encrypted by your key if there is a property that is in plaintext, that you wish to be secret, you can encrypt it with `additionalSecretOutputs`: https://www.pulumi.com/docs/intro/concepts/secrets/#explicitly-marking-resource-outputs-as-secrets It'll show up in the console

[secret]

Great, thanks for that information @billowy-army-68599