Verified steps

Initialize a stack with a local passphrase secrets provider: pulumi stack init mystack --secrets-provider passphrase — Pulumi prompts for the passphrase and stores a salt/encrypted key in Pulumi.mystack.yaml
Set the passphrase as an environment variable for non-interactive CI use: export PULUMI_CONFIG_PASSPHRASE=<passphrase> (ensure this is injected from a secrets manager, not hardcoded)
Store secrets in the stack config: pulumi config set --secret db-password <value> — the encrypted ciphertext is written to Pulumi.mystack.yaml, which is safe to commit to version control
In Python program code, retrieve secrets: config = pulumi.Config(); db_pass = config.require_secret('db-password') — the returned Output[str] is automatically marked secret and redacted from Pulumi logs
For self-managed state (no Pulumi Cloud), configure a state backend: pulumi login s3://mybucket/pulumi-state or pulumi login file://./state before running pulumi up
Run pulumi preview and pulumi up --yes; confirm secret values are redacted in the diff output and only ciphertext appears in the committed Pulumi.mystack.yaml file

Known gotchas

The passphrase must be identical across all environments that read or write the stack config; a passphrase mismatch causes decryption failures with a cryptographic error that does not indicate the root cause is a wrong passphrase
pulumi config set --secret stores the encrypted value in Pulumi.<stackname>.yaml; if you copy this file between stacks, the ciphertext is tied to the original stack's encryption key and will not decrypt on a different stack without migrating secrets
require_secret returns an Output[str] that is propagated as secret through the resource graph; passing it to a resource property that does not accept Output types (e.g., a plain Python string function) will not decrypt it at call time — use .apply() to access the underlying value inside an Output context

Write a Pulumi dynamic provider in Python to manage a custom API resource lifecycle with create, read, update, and delete operations

pulumi.com · 5 steps · unrated

Configure Pulumi CrossGuard policy pack in TypeScript to enforce S3 bucket encryption

pulumi.com/docs/iac/using-pulumi/crossguard · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Configure Pulumi to provision infrastructure using Python and manage stack secrets with the passphrase secrets provider instead of Pulumi Cloud

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes