Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
m
most-mouse-38002
11/17/2022, 6:07 PMIs it not possible to lock down
Pulumi,<stack>.yamlMicrosoft.KeyVault/vaults/keys/encrypt/actionb
billowy-army-68599
11/17/2022, 7:23 PMno, that’s not possible. Anyone who runs the CLI need to decrypt the secret in order to send it to the cloud provider API
m
most-mouse-38002
11/18/2022, 8:52 AMSo the CLI requires me to decrypt every secret in the file, if I want to add a new line? In my head this is not an encrypt operation so I would expect it not to need PK access.
b
billowy-army-68599
11/18/2022, 3:00 PMI’m not following I’m afraid, what do you mean “add a new line” ?
m
most-mouse-38002
11/18/2022, 3:08 PMI wanted to be able to add new secrets to a config without having to decrypt (azure kv rbac with only encrypt). But after reading more it seems pulumi uses a symmetric and not asymmetric approach so it had to decrypt its key within the confit. Right?
b
billowy-army-68599
11/18/2022, 3:11 PMyes that’s correct
m
most-mouse-38002
11/18/2022, 3:13 PMThanks, I was a bit confused but the docs clears that up as well 👍🏻
Perhaps a dumb question, but is there any way around this? Or is the only secrete vault manages the one pulumi uses to encrypt it’s own key?
b
billowy-army-68599
11/18/2022, 3:26 PMthere’s no way around it no
m
most-mouse-38002
11/18/2022, 4:19 PMThanks for the help, @billowy-army-68599 ☺️