This message was deleted.
# general
s
This message was deleted.
b
I check these values in without any concerns
b
Thanks, it really does seem pretty reasonable but it just seems a bit of a compromise vs how I might otherwise store secrets in a remote Vault or AWS Secrets Manager service that keeps the encrypted data at arms length. If there's no way to avoid it, I can probably get comfortable with it, thank you!
b
you can of course always store those values in Vault or secrets manager outside of your code and then use a
getSecret
if you wish
b
As in AWS Secrets Manager
getSecret
? I thought I could only pass the ARN to a resource that takes an AWS Secret but not use them in place of a Pulumi Secret. Is it possible to pass one to something that say, takes an actual value like a field such as
Password:
?
b
sorry I’m not following the question?
b
I have a resource that takes a
Password
field and wants a real value as a password (not a reference to an AWS Secret Manager ARN or anything like that) Right now I can pass it a Pulumi secret and it works just fine because Pulumi inserts the unencrypted value of the secret in that field. I'm trying to figure out if there's a way I can use an AWS Secrets Manager secret in the same way. Basically I'd store the secret in AWS Secrets Manager and then use
Password: someAWSSecret
and then Pulumi would insert the real unencrypted value of that secret in the
Password
field the same way it does with a native Pulumi secret.
b
ah, yes. you can use
<https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getsecretversion/>
and then use this output: https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getsecretversion/#secretstring_nodejs
b
Ah, I had only looked at
getSecret
and not
getSecretVersion
thank you, I'll give that a shot. Thank you very much 🙏