I’m thinking about give visibility to developers to able update Pulumi secret, but I don’t want developer install Pulumi directly on each laptop, so instead of do something like

pulumi config set --secret secretMessage "it's a secret to everybody"

then I want dev push secret string to our github repo like

v1:6N+U5QAQu244Jqp1:1G

, is possible to generate secret without install

pulumi

?

It's possible, you can look at the encryption code and copy what that does: For service secrets it's just a http call to the service: https://github.com/pulumi/pulumi/blob/master/pkg/secrets/service/manager.go#L46-L52 For the other secret stores it's an AES256 encryption packed into the format "v1&lt;nonce&gt;<base64 of encrypted value>": https://github.com/pulumi/pulumi/blob/master/sdk/go/common/resource/config/crypt.go#L169-L173

Interesting, should I share Symmetric Crypter Key to developers?

Well if you want them to be able to create secrets themselves then you'll have to.

The context is I want developers have ability to update KV of Harshicopr Vault, but since we store Pulumi on Github, so I should find a proper way to do it without store KV raw value

I am not sure what best practice is around stuff like this. Probably depends on what exactly these secrets are, how sensitive they are, and if devs need read or just write access.

Thank for advising, I’ll find another way todo that