Hi, I have another question, even if the Secret environment variables are encrypted end-to-end, but Pulumi Service is not a self-host environment, how do you ensure our AWS credential or kubeconfig is secure without store it somewhere? From our previous experience, we stored our secrets in vault or as secret in kubernetes cluster, CI/CD containter read them by secretKeyRef to env, everything stays inside the cluster. What Pulumi deployment do now is to pass them via the environment variable to authenticate with AWS or Kubernetes, it there other recommended way to do authentication? Thx.

Environment variables are stored decrypted. They are decrypted and sent to a single use VM that runs your deployment. The VM is deleted after the deployment completes. We've been working on OIDC integration to support temporary credentials that are scoped to an individual deployment run to give more fine grain security options. The code is live, and we're working on publishing documentation and blog posts right now: https://github.com/pulumi/service-requests/issues/144 https://github.com/pulumi/pulumi-hugo/pull/2369

Sounds great! That's relieve our concerns a lot. Hope the docs is ready soon. Thanks

Here you go! https://www.pulumi.com/docs/guides/oidc/

Hey @flat-engineer-30260 thanks for pointing that out, there was an error in the docs on our end. The URL should be

<https://api.pulumi.com/oidc>

- we're updating the docs now but just wanted to give you a heads up.