CoursesPulumiIntermediate

Config & secrets

Per-stack config and encrypted secrets.

Intermediate12 min · lesson 6 of 12

Per-stack configuration is how one program produces different environments. pulumi config set writes values into the stack’s settings file (Pulumi.<stack>.yaml), and your program reads them with the Config API. This keeps environment-specific values (region, instance size, replica count) out of the code and attached to the stack instead.

terminal
$ pulumi config set aws:region us-east-1
$ pulumi config set instanceSize t3.large
$ pulumi config set dbPassword 'S3cr3t!' --secret # encrypted, not plaintext
index.ts
const cfg = new pulumi.Config();
const size = cfg.get("instanceSize") ?? "t3.small"; // plain config
const dbPass = cfg.requireSecret("dbPassword"); // Output<string>, encrypted

Secrets are encrypted

Marking a value --secret encrypts it with the stack’s encryption provider before it is written, so the config file and state store ciphertext, not the plaintext. In your program a secret arrives as an Output that Pulumi tracks as sensitive — it will not print in the CLI, and Pulumi propagates the secret marking to any resource attribute derived from it. This is a real improvement over passing raw secrets through plaintext variables.

Pulumi.prod.yaml
config:
aws:region: us-east-1
payments-infra:instanceSize: t3.large
payments-infra:dbPassword:
secure: v1:8fKz... # ciphertext, decryptable only with the stack key
Secret-ness propagates — do not launder it
When you .apply() a secret Output, the result stays secret; that is deliberate. Do not defeat it by writing the decrypted value into a plain string, a log, or a non-secret output — that leaks it into state or CI logs in plaintext. Keep secrets as secret Outputs all the way into the resource that consumes them.