https://pulumi.com logo
Title
b

billowy-spoon-90104

02/08/2023, 4:24 PM
Hi, I'm wondering how others handle the issue of checking Pulumi configs with encrypted secrets into Git (and a GitHub private repo). Do most people take the position that because they're properly encrypted, it's perfectly safe? Or is there some way of keeping secrets out of Git, like is there a way they can be stored only remotely in The Pulumi Service or something else? Thanks in advance!
b

billowy-army-68599

02/08/2023, 4:26 PM
I check these values in without any concerns
b

billowy-spoon-90104

02/08/2023, 4:32 PM
Thanks, it really does seem pretty reasonable but it just seems a bit of a compromise vs how I might otherwise store secrets in a remote Vault or AWS Secrets Manager service that keeps the encrypted data at arms length. If there's no way to avoid it, I can probably get comfortable with it, thank you!
b

billowy-army-68599

02/08/2023, 4:35 PM
you can of course always store those values in Vault or secrets manager outside of your code and then use a
getSecret
if you wish
b

billowy-spoon-90104

02/08/2023, 4:38 PM
As in AWS Secrets Manager
getSecret
? I thought I could only pass the ARN to a resource that takes an AWS Secret but not use them in place of a Pulumi Secret. Is it possible to pass one to something that say, takes an actual value like a field such as
Password:
?
b

billowy-army-68599

02/08/2023, 4:41 PM
sorry I’m not following the question?
b

billowy-spoon-90104

02/08/2023, 4:45 PM
I have a resource that takes a
Password
field and wants a real value as a password (not a reference to an AWS Secret Manager ARN or anything like that) Right now I can pass it a Pulumi secret and it works just fine because Pulumi inserts the unencrypted value of the secret in that field. I'm trying to figure out if there's a way I can use an AWS Secrets Manager secret in the same way. Basically I'd store the secret in AWS Secrets Manager and then use
Password: someAWSSecret
and then Pulumi would insert the real unencrypted value of that secret in the
Password
field the same way it does with a native Pulumi secret.
b

billowy-army-68599

02/08/2023, 4:46 PM
ah, yes. you can use
<https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getsecretversion/>
and then use this output: https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getsecretversion/#secretstring_nodejs
b

billowy-spoon-90104

02/08/2023, 4:49 PM
Ah, I had only looked at
getSecret
and not
getSecretVersion
thank you, I'll give that a shot. Thank you very much 🙏