Config & secrets
Per-stack config and encrypted secrets.
Per-stack configuration is how one program produces different environments. pulumi config set writes values into the stack’s settings file (Pulumi.<stack>.yaml), and your program reads them with the Config API. This keeps environment-specific values (region, instance size, replica count) out of the code and attached to the stack instead.
$ pulumi config set aws:region us-east-1$ pulumi config set instanceSize t3.large$ pulumi config set dbPassword 'S3cr3t!' --secret # encrypted, not plaintext
const cfg = new pulumi.Config();const size = cfg.get("instanceSize") ?? "t3.small"; // plain configconst dbPass = cfg.requireSecret("dbPassword"); // Output<string>, encrypted
Secrets are encrypted
Marking a value --secret encrypts it with the stack’s encryption provider before it is written, so the config file and state store ciphertext, not the plaintext. In your program a secret arrives as an Output that Pulumi tracks as sensitive — it will not print in the CLI, and Pulumi propagates the secret marking to any resource attribute derived from it. This is a real improvement over passing raw secrets through plaintext variables.
config:aws:region: us-east-1payments-infra:instanceSize: t3.largepayments-infra:dbPassword:secure: v1:8fKz... # ciphertext, decryptable only with the stack key