https://pulumi.com logo
Title
b

big-magazine-43532

06/22/2022, 10:24 PM
Hi everyone! I encrypted a secret using
pulumi config -s uat --config-file target-accounts/Pulumi.uat.yaml set project:dbPassword value --secret
. When I run
pulumi config -s uat --config-file target-accounts/Pulumi.uat.yaml --show-secrets
the secret is successfully decrypted. However, when someone else (another human and our pipeline) runs the second command they get this error:
error: failed to decrypt encrypted configuration value 'project:dbPassword': [400] Message authentication failed
This can occur when a secret is copied from one stack to another. Encryption of secrets is done per-stack and
it is not possible to share an encrypted configuration value across stacks
Can anyone suggest what may be wrong?
b

billowy-army-68599

06/22/2022, 10:26 PM
what backend are you using? are you sure the stack is the same?
b

big-magazine-43532

06/22/2022, 10:28 PM
The service backend hosted at
<http://app.pulumi.com|app.pulumi.com>
Both people used
-s uta
which makes the stack explicitly the same.
b

billowy-army-68599

06/22/2022, 10:29 PM
in the same org?
b

big-magazine-43532

06/22/2022, 10:30 PM
We are both in the same org. How would I know if both used the same org explicitly?
b

billowy-army-68599

06/22/2022, 10:31 PM
run
pulumi stack ls
from both places
pulumi stack ls
NAME               LAST UPDATE   RESOURCE COUNT  URL
demo/dev           4 weeks ago   0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/dev>
demo/dev-pedwards  n/a           n/a             <https://app.pulumi.com/demo/demo-aws-ts-webserver/dev-pedwards>
demo/dev-piers     1 month ago   0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/dev-piers>
demo/dev-tushar    9 months ago  0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/dev-tushar>
demo/integration   4 months ago  0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/integration>
demo/lbriggs*      2 weeks ago   28              <https://app.pulumi.com/demo/demo-aws-ts-webserver/lbriggs>
demo/prod          1 year ago    0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/prod>
demo/staging       3 days ago    0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/staging>
Both stacks should have the same org name prefixing them, like this
b

big-magazine-43532

06/22/2022, 10:33 PM
This looks very suspicious. I have an
uat
and an
org/uat
. I am going to try encrypting with
-s org/uat
and see if that helps.
b

billowy-army-68599

06/22/2022, 10:35 PM
@big-magazine-43532 check in the pulumi UI if the first environment ended up in your personal pulumi org
b

big-magazine-43532

06/22/2022, 10:37 PM
It absolutely ended up in my personal pulumi org. Thank you very much!
b

billowy-army-68599

06/22/2022, 10:37 PM
glad to help!