This message was deleted.
# generals
sparse-intern-71089
02/13/2023, 6:05 AMThis message was deleted.
e
echoing-dinner-19531
02/13/2023, 11:12 AMIt's possible, you can look at the encryption code and copy what that does:
For service secrets it's just a http call to the service: https://github.com/pulumi/pulumi/blob/master/pkg/secrets/service/manager.go#L46-L52
For the other secret stores it's an AES256 encryption packed into the format "v1<nonce><base64 of encrypted value>": https://github.com/pulumi/pulumi/blob/master/sdk/go/common/resource/config/crypt.go#L169-L173
c
creamy-monkey-35142
02/13/2023, 11:25 AMInteresting, should I share Symmetric Crypter Key to developers?
e
echoing-dinner-19531
02/13/2023, 11:26 AMWell if you want them to be able to create secrets themselves then you'll have to.
echoing-dinner-19531
02/13/2023, 11:26 AMBut it's symmetric, so it means they can decrypt secrets as well
c
creamy-monkey-35142
02/13/2023, 11:29 AMThe context is I want developers have ability to update KV of Harshicopr Vault, but since we store Pulumi on Github, so I should find a proper way to do it without store KV raw value
e
echoing-dinner-19531
02/13/2023, 11:33 AMI am not sure what best practice is around stuff like this. Probably depends on what exactly these secrets are, how sensitive they are, and if devs need read or just write access.
👍 1
c
creamy-monkey-35142
02/13/2023, 11:34 AMThank for advising, I’ll find another way todo that
2 Views