This message was deleted.
# azure
s
This message was deleted.
b
no, that’s not possible. Anyone who runs the CLI need to decrypt the secret in order to send it to the cloud provider API
m
So the CLI requires me to decrypt every secret in the file, if I want to add a new line? In my head this is not an encrypt operation so I would expect it not to need PK access.
b
I’m not following I’m afraid, what do you mean “add a new line” ?
m
I wanted to be able to add new secrets to a config without having to decrypt (azure kv rbac with only encrypt). But after reading more it seems pulumi uses a symmetric and not asymmetric approach so it had to decrypt its key within the confit. Right?
b
yes that’s correct
m
Thanks, I was a bit confused but the docs clears that up as well 👍🏻
Perhaps a dumb question, but is there any way around this? Or is the only secrete vault manages the one pulumi uses to encrypt it’s own key?
b
there’s no way around it no
m
Thanks for the help, @billowy-army-68599 ☺️