No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

&gt; To encrypt a configuration setting before runtime, you can use the CLI command `config set` command with a `--secret` flag. You can also set a secret during runtime. Any `Output&lt;T&gt;` value can be marked secret. If an output is a secret, any computed values derived from it—such as those derived through an `apply` call —will also be marked secret. All these encrypted values are stored in your state file.
<https://www.pulumi.com/docs/intro/concepts/secrets/#secrets>

The docs are very thorough for Pulumi, stacks of information there. It just takes time to get used to navigating the Pulumi docs, but the `--secret` flag should be what you want.