No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I think you can add it into ENV, like with python `os.getenv()`

That's correct - GH secrets are available as env vars. You can also generate the master PW all in Pulumi using the `random.RandomPassword` resource and Pulumi can be responsible for the secret. You can then retrieve the value via `pulumi stack output --show-secrets`

Oh that's nice!
Thank you both for your help.  :raised_hands::skin-tone-6:

<@U02FZC2RE0Y> do you know what is the ENV name of `encryptionsalt` ? currently it’s stored at `Pulumi.&lt;stack&gt;.yaml` and I want move it to ENV instead of file, then I can push Pulumi stack yaml file to git repo too

<@U04HSHJN1HN> Salts are not secrets, so you can store them in plaintext. What resource are you using with `encryptionsalt`? I don't see it in the docs for `random.RandomPassword` nor the Random provider.

I think it’s created automatically while creating new stack, here is the content of `Pulumi.&lt;stack&gt;.yaml` file after stack created

the `encryptionsalt` is using in python class `StackSettings` def `_deserialize`

<https://github.com/pulumi/pulumi/blob/master/sdk/python/lib/pulumi/automation/_stack_settings.py#L61>

the description is
&gt; This is this stack’s base64 encoded encryption salt. Only used for passphrase-based secrets providers

so it’s not a plaintext, I think it’s a secret and should not be on git repository and is it should be ENV var instead of file?

Ahh, ok. That's why I haven't seen it - I nearly always use the Service backend. No, salts are safe to store in plaintext. It's not a secret.

<https://stackoverflow.com/a/1219908/549>

thank, I use passphare instead of AWS KMS for testing purpose and I’ll change to KMS later :smile: