No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi everyone!

I encrypted a secret using `pulumi config -s uat --config-file target-accounts/Pulumi.uat.yaml set project:dbPassword value --secret`. When I run `pulumi config -s uat --config-file target-accounts/Pulumi.uat.yaml --show-secrets` the secret is successfully decrypted. However, when someone else (another human and our pipeline) runs the second command they get this error:

```error: failed to decrypt encrypted configuration value 'project:dbPassword': [400] Message authentication failed
This can occur when a secret is copied from one stack to another. Encryption of secrets is done per-stack and
it is not possible to share an encrypted configuration value across stacks```
Can anyone suggest what may be wrong?

what backend are you using? are you sure the stack is the same?

The service backend hosted at `<http://app.pulumi.com|app.pulumi.com>`

Both people used `-s uta` which makes the stack explicitly the same.

We are both in the same org. How would I know if both used the same org explicitly?

```pulumi stack ls
NAME               LAST UPDATE   RESOURCE COUNT  URL
demo/dev           4 weeks ago   0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/dev>
demo/dev-pedwards  n/a           n/a             <https://app.pulumi.com/demo/demo-aws-ts-webserver/dev-pedwards>
demo/dev-piers     1 month ago   0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/dev-piers>
demo/dev-tushar    9 months ago  0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/dev-tushar>
demo/integration   4 months ago  0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/integration>
demo/lbriggs*      2 weeks ago   28              <https://app.pulumi.com/demo/demo-aws-ts-webserver/lbriggs>
demo/prod          1 year ago    0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/prod>
demo/staging       3 days ago    0               <https://app.pulumi.com/demo/demo-aws-ts-webserver/staging>```
Both stacks should have the same org name prefixing them, like this

This looks very suspicious. I have an `uat` and an `org/uat`. I am going to try encrypting with `-s org/uat` and see if that helps.

<@U03LSTSHW2E> check in the pulumi UI if the first environment ended up in your personal pulumi org

It absolutely ended up in my personal pulumi org. Thank you very much!