This message was deleted.
# general
s
This message was deleted.
c
I think you can add it into ENV, like with python
os.getenv()
s
That's correct - GH secrets are available as env vars. You can also generate the master PW all in Pulumi using the
random.RandomPassword
resource and Pulumi can be responsible for the secret. You can then retrieve the value via
pulumi stack output --show-secrets
o
Oh that's nice! Thank you both for your help. 🙌🏿
c
@stocky-restaurant-98004 do you know what is the ENV name of
encryptionsalt
? currently it’s stored at
Pulumi.<stack>.yaml
and I want move it to ENV instead of file, then I can push Pulumi stack yaml file to git repo too
s
@creamy-monkey-35142 Salts are not secrets, so you can store them in plaintext. What resource are you using with
encryptionsalt
? I don't see it in the docs for
random.RandomPassword
nor the Random provider.
c
I think it’s created automatically while creating new stack, here is the content of
Pulumi.<stack>.yaml
file after stack created
the
encryptionsalt
is using in python class
StackSettings
def
_deserialize
the description is
This is this stack’s base64 encoded encryption salt. Only used for passphrase-based secrets providers
so it’s not a plaintext, I think it’s a secret and should not be on git repository and is it should be ENV var instead of file?
s
Ahh, ok. That's why I haven't seen it - I nearly always use the Service backend. No, salts are safe to store in plaintext. It's not a secret.
1
c
thank, I use passphare instead of AWS KMS for testing purpose and I’ll change to KMS later 😄