Hello everyone, we are trying to push an rds instance provisioning on github, but without commiting the passwords over there. Is there a way we can add it to github secrets and it can be injected during runtime?

I think you can add it into ENV, like with python

os.getenv()

That's correct - GH secrets are available as env vars. You can also generate the master PW all in Pulumi using the

random.RandomPassword

resource and Pulumi can be responsible for the secret. You can then retrieve the value via

pulumi stack output --show-secrets

Oh that's nice! Thank you both for your help. 🙌🏿

@stocky-restaurant-98004 do you know what is the ENV name of

encryptionsalt

?

@creamy-monkey-35142 Salts are not secrets, so you can store them in plaintext. What resource are you using with

encryptionsalt

? I don't see it in the docs for

random.RandomPassword

nor the Random provider.

the

encryptionsalt

is using in python class

StackSettings

_deserialize

Ahh, ok. That's why I haven't seen it - I nearly always use the Service backend. No, salts are safe to store in plaintext. It's not a secret.

thank, I use passphare instead of AWS KMS for testing purpose and I’ll change to KMS later 😄