No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

You can use pulumi secrets for that <https://www.pulumi.com/docs/intro/concepts/secrets/>

I'm working with AWS, so I have configured it to use a AWS KMS to encrypt the secrets.

on the pulumi state files, you end up with the base64 encrypted value, for each secret you store.

and how does secrets are present in state file ?

you can’t avoid storing the API result like the login password in the statefile, that’s just how pulumi works

you can encrypt those values though, as Diogo mentioned

so, in state file there is not way to have something like ?
```"administratorLoginPassword": &lt;link to KMS or Vault&gt;```

no, any API result that comes back from the azure API gets stored in state

it is same true for AWS and kubernetes providers as well, right?

just want to confirm :slightly_smiling_face:

yep, any provider response will be stored in state, but a secret value will be encrypted

one more question, do you know by any chance if it possible to avoid encrypted sensitive data in Terraform state file?

no, terraform stores all these values in plaintext

you can encrypt the data store, but the values are stored in plaintext

thank you <@UCWG26BH7> and <@U03BS2X3EH1>