This message was deleted.

I check these values in without any concerns

Thanks, it really does seem pretty reasonable but it just seems a bit of a compromise vs how I might otherwise store secrets in a remote Vault or AWS Secrets Manager service that keeps the encrypted data at arms length. If there's no way to avoid it, I can probably get comfortable with it, thank you!

you can of course always store those values in Vault or secrets manager outside of your code and then use a

getSecret

if you wish

As in AWS Secrets Manager

getSecret

? I thought I could only pass the ARN to a resource that takes an AWS Secret but not use them in place of a Pulumi Secret. Is it possible to pass one to something that say, takes an actual value like a field such as

Password:

?

sorry I’m not following the question?

I have a resource that takes a

Password

field and wants a real value as a password (not a reference to an AWS Secret Manager ARN or anything like that) Right now I can pass it a Pulumi secret and it works just fine because Pulumi inserts the unencrypted value of the secret in that field. I'm trying to figure out if there's a way I can use an AWS Secrets Manager secret in the same way. Basically I'd store the secret in AWS Secrets Manager and then use

Password: someAWSSecret

and then Pulumi would insert the real unencrypted value of that secret in the

Password

field the same way it does with a native Pulumi secret.

ah, yes. you can use

<https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getsecretversion/>

and then use this output: https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getsecretversion/#secretstring_nodejs

Ah, I had only looked at

getSecret

and not

getSecretVersion

thank you, I'll give that a shot. Thank you very much 🙏