n

    narrow-vegetable-60985

    3 months ago
    Hi everybody. Does anyone know if it’s possible to work with Pulumi Secrets in the “GitOps” way? Ideal scenario for us would be:1. Encrypt data beforehand using any of supported providers. 2. Put the encrypted value to the
    Pulumi.<stack>.yaml
    With regular config values (unencrypted) this works well. Motivation: remove a requirement to set up Pulumi tool locally just for secrets management and rely on Git/CD workflow. I’ve tried to encrypt data with Google KMS, but it gives me a binary output. So I can’t put this output to
    Pulumi.<stack>.yaml
    b

    billowy-army-68599

    3 months ago
    @narrow-vegetable-60985 if you init a stack using
    pulumi stack init --secrets-provider="<gcpkms://projects/><p>/locations/<l>/keyRings/<r>/cryptoKeys/<k>"
    then set the config value using
    pulumi config set --secret
    it'll set the value in your stack config
    and it'll be encrypted, so you can check it in
    n

    narrow-vegetable-60985

    3 months ago
    Ah. Indeed. I can encrypt a value with pulumi without granting permissions to the cloud Pulumi stack (even with a local stack) and then just copy the encrypted value to another file. Just tested that. Works fine. Thanks!