https://pulumi.com logo
Title
m

most-mouse-38002

11/17/2022, 6:07 PM
Is it not possible to lock down
Pulumi,<stack>.yaml
in a way that you can encrypt secrets, but not decrypt them? Apparently having
Microsoft.KeyVault/vaults/keys/encrypt/action
is not enough, one also needs decrypt?
b

billowy-army-68599

11/17/2022, 7:23 PM
no, that’s not possible. Anyone who runs the CLI need to decrypt the secret in order to send it to the cloud provider API
m

most-mouse-38002

11/18/2022, 8:52 AM
So the CLI requires me to decrypt every secret in the file, if I want to add a new line? In my head this is not an encrypt operation so I would expect it not to need PK access.
b

billowy-army-68599

11/18/2022, 3:00 PM
I’m not following I’m afraid, what do you mean “add a new line” ?
m

most-mouse-38002

11/18/2022, 3:08 PM
I wanted to be able to add new secrets to a config without having to decrypt (azure kv rbac with only encrypt). But after reading more it seems pulumi uses a symmetric and not asymmetric approach so it had to decrypt its key within the confit. Right?
b

billowy-army-68599

11/18/2022, 3:11 PM
yes that’s correct
m

most-mouse-38002

11/18/2022, 3:13 PM
Thanks, I was a bit confused but the docs clears that up as well 👍🏻
Perhaps a dumb question, but is there any way around this? Or is the only secrete vault manages the one pulumi uses to encrypt it’s own key?
b

billowy-army-68599

11/18/2022, 3:26 PM
there’s no way around it no
m

most-mouse-38002

11/18/2022, 4:19 PM
Thanks for the help, @billowy-army-68599 ☺️