No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

From my understanding:
1- pulumi CLI uses Azure CLI to connect to Azure so does not store anything, simply uses a token retrieved by the azure CLI
2 - outputs/your state are stored in the backend you choose. It is Pulumi by default, but you can choose other backends like an azure blob storage or your local system. In any case, sensitive data in the state is stored encrypted.

In case it helps : <https://www.techwatching.dev/posts/pulumi-azure-backend>

Thanks - great article!
For 2) The setup I was thinking of is using Pulumi for storing the state but Azure KeyVault for the secrets. I haven't found out if secrets generated during a deployment are also stored in Azure KeyVault or if the end up in the stat file.

Hi <@U03JYP1FTH7> , perhaps the switch `secrets-provider` is misleading. I had the same impression too, that I could use a keyvault to store our secrets. But on the contrary, the secrets-provider is actually an *Encryption Provider* in the sense that it uses the given Key in the keyvault to encrypt the secrets in the stack.... So, in short... the secrets end up in the stack (state) file, but will be encrypted with  your key.

I can confirm that only a single key from the vault is being used - I've set up Key Vault as a secrets provider and have seen only a single key being referenced.  I second the motion :slightly_smiling_face: to rename their stack init param to --encryption-key-provider - especially given Azure KV - which provides "keys", "secrets" and "certs".

Thanks for your answers - that clarifies a lot!