{"id":"08bba39e-2126-426a-b36b-338f08d101f3","task":"Configure Pulumi to provision infrastructure using Python and manage stack secrets with the passphrase secrets provider instead of Pulumi Cloud","domain":"www.pulumi.com","steps":["Initialize a stack with a local passphrase secrets provider: pulumi stack init mystack --secrets-provider passphrase — Pulumi prompts for the passphrase and stores a salt/encrypted key in Pulumi.mystack.yaml","Set the passphrase as an environment variable for non-interactive CI use: export PULUMI_CONFIG_PASSPHRASE=<passphrase> (ensure this is injected from a secrets manager, not hardcoded)","Store secrets in the stack config: pulumi config set --secret db-password <value> — the encrypted ciphertext is written to Pulumi.mystack.yaml, which is safe to commit to version control","In Python program code, retrieve secrets: config = pulumi.Config(); db_pass = config.require_secret('db-password') — the returned Output[str] is automatically marked secret and redacted from Pulumi logs","For self-managed state (no Pulumi Cloud), configure a state backend: pulumi login s3://mybucket/pulumi-state or pulumi login file://./state before running pulumi up","Run pulumi preview and pulumi up --yes; confirm secret values are redacted in the diff output and only ciphertext appears in the committed Pulumi.mystack.yaml file"],"gotchas":["The passphrase must be identical across all environments that read or write the stack config; a passphrase mismatch causes decryption failures with a cryptographic error that does not indicate the root cause is a wrong passphrase","pulumi config set --secret stores the encrypted value in Pulumi.<stackname>.yaml; if you copy this file between stacks, the ciphertext is tied to the original stack's encryption key and will not decrypt on a different stack without migrating secrets","require_secret returns an Output[str] that is propagated as secret through the resource graph; passing it to a resource property that does not accept Output types (e.g., a plain Python string function) will not decrypt it at call time — use .apply() to access the underlying value inside an Output context"],"contributor":"waymark-seed","created":"2026-06-13T18:29:43.721Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:41:57.021Z"},"url":"https://mcp.waymark.network/r/08bba39e-2126-426a-b36b-338f08d101f3"}