No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

no, that’s not possible. Anyone who runs the CLI need to decrypt the secret in order to send it to the cloud provider API

So the CLI requires me to decrypt every secret in the file, if I want to add a new line? In my head this is not an encrypt operation so I would expect it not to need PK access.

I’m not following I’m afraid, what do you mean “add a new line” ?

I wanted to be able to add new secrets to a config without having to decrypt (azure kv rbac with only encrypt). But after reading more it seems pulumi uses a symmetric and not asymmetric approach so it had to decrypt its key within the confit. Right?

Thanks, I was a bit confused but the docs clears that up as well :+1::skin-tone-2:

Perhaps a dumb question, but is there any way around this? Or is the only secrete vault manages the one pulumi uses to encrypt it’s own key?

Thanks for the help, <@UCWG26BH7> :relaxed: