I’m thinking about give visibility to developers t...
# general
I’m thinking about give visibility to developers to able update Pulumi secret, but I don’t want developer install Pulumi directly on each laptop, so instead of do something like
Copy code
pulumi config set --secret secretMessage "it's a secret to everybody"
then I want dev push secret string to our github repo like
, is possible to generate secret without install
It's possible, you can look at the encryption code and copy what that does: For service secrets it's just a http call to the service: https://github.com/pulumi/pulumi/blob/master/pkg/secrets/service/manager.go#L46-L52 For the other secret stores it's an AES256 encryption packed into the format "v1&lt;nonce&gt;<base64 of encrypted value>": https://github.com/pulumi/pulumi/blob/master/sdk/go/common/resource/config/crypt.go#L169-L173
Interesting, should I share Symmetric Crypter Key to developers?
Well if you want them to be able to create secrets themselves then you'll have to.
But it's symmetric, so it means they can decrypt secrets as well
The context is I want developers have ability to update KV of Harshicopr Vault, but since we store Pulumi on Github, so I should find a proper way to do it without store KV raw value
I am not sure what best practice is around stuff like this. Probably depends on what exactly these secrets are, how sensitive they are, and if devs need read or just write access.
Thank for advising, I’ll find another way todo that