Hi, I'm experiencing what i believe is an error, not sure if it's working as intended though. I have a project and stack, that uses a KMS key in AWS for encrypting config secrets, the key is restricted to be used by the deployment role / and account admin. I have another stack for a separate account, that has the same setup. In the second stack, I initialize a stack reference to the first account. When previewing I then get the following error:

error: Preview failed: constructing secrets manager of type "cloud": secrets (code=Unknown): AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access

I can eliminate the error by giving access to the KMS key in stack 1 to the deployment role in stack 2. Which seems counter intuitive when the stack references does not expose the config and has the following comment:

/**
 * Fetches the value promptly of the named stack output. May return undefined if the value is
 * not known for some reason.
 *
 * This operation is not supported (and will throw) if the named stack output is a secret.
 *
 * @param name The name of the stack output to fetch.
 */
getOutputValue(name: string): Promise<any>;

Is this by design? Hope someone can shed some light on it. EDIT: looks like a bug https://github.com/pulumi/pulumi/issues/11109

Yup, stack reference currently assumes access to secrets. Please do give the issue a 👍

I have given it a thumps up, though it seems not to many are facing that problem.