Thread
#pulumi-service
    j

    jolly-alligator-19698

    6 months ago
    Hello, quick question and sorry if this has been asked before: Do Pulumi employees have access to the following sensitive information?1. state file contents 2. Pulumi secret contents Thank you in advance.
    g

    great-queen-39697

    6 months ago
    As far as I know, no, but I'm grabbing someone else who has more Pulumi background to help answer any concerns. Hang tight!
    b

    billowy-army-68599

    6 months ago
    Hi @jolly-alligator-19698 just to summarize here: • We do store your state files when you use the Pulumi service • Certain users with production access can view those state files, this access is audited • State is encrypted by a per project key. the default encryption mechanism provisions a key for you in the service • if you want to maintain full control over encryption, you can encrypt your stacks using an external key service, like AWS KMS, Google Cloud KMS, Azure KeyVault or hashicorp vault • if you use this mechanism, no Pulumi user will be able to view your secrets at all
    j

    jolly-alligator-19698

    6 months ago
    Thanks @billowy-army-68599!
    I hope y'all don't mind a follow-up question: In the Pulumi Service, there is an
    Activity
    tab showing
    Changes
    ,
    Timeline
    ,
    Configuration
    ,
    Environment
    , etc. Can you describe how the contents of e.g. the
    Activity > Changes
    information is displayed in plaintext on the web page? Suppose that AWS is configured as the encryption provider. Is the
    Activity
    information encrypted with the AWS encryption? cc @great-queen-39697 @billowy-army-68599
    b

    billowy-army-68599

    6 months ago
    @jolly-alligator-19698 any property marked as "secret" will be encrypted by your key if there is a property that is in plaintext, that you wish to be secret, you can encrypt it with additionalSecretOutputs: https://www.pulumi.com/docs/intro/concepts/secrets/#explicitly-marking-resource-outputs-as-secrets It'll show up in the console
    [secret]
    the secret data is determined by the schema of the provider
    j

    jolly-alligator-19698

    6 months ago
    Great, thanks for that information @billowy-army-68599