https://pulumi.com logo
n

narrow-vegetable-60985

06/07/2022, 3:14 PM
Hi everybody. Does anyone know if it’s possible to work with Pulumi Secrets in the “GitOps” way? Ideal scenario for us would be: 1. Encrypt data beforehand using any of supported providers. 2. Put the encrypted value to the
Pulumi.<stack>.yaml
With regular config values (unencrypted) this works well. Motivation: remove a requirement to set up Pulumi tool locally just for secrets management and rely on Git/CD workflow. I’ve tried to encrypt data with Google KMS, but it gives me a binary output. So I can’t put this output to
Pulumi.<stack>.yaml
b

billowy-army-68599

06/07/2022, 3:23 PM
@narrow-vegetable-60985 if you init a stack using
pulumi stack init --secrets-provider="<gcpkms://projects/><p>/locations/<l>/keyRings/<r>/cryptoKeys/<k>"
then set the config value using
pulumi config set --secret
it'll set the value in your stack config
and it'll be encrypted, so you can check it in
n

narrow-vegetable-60985

06/07/2022, 4:00 PM
Ah. Indeed. I can encrypt a value with pulumi without granting permissions to the cloud Pulumi stack (even with a local stack) and then just copy the encrypted value to another file. Just tested that. Works fine. Thanks!
👍 1