1. Docs
  2. Concepts
  3. Resource options
  4. additionalSecretOutputs

Resource option: additionalSecretOutputs

    The additionalSecretOutputs resource option specifies a list of named output properties that should be treated as secrets, which means they will be encrypted. It augments the list of values that Pulumi detects, based on secret inputs to the resource.

    This example ensures that the password generated for a database resource is an encrypted secret:

    let db = new Database("new-name-for-db", { /*...*/ },
        { additionalSecretOutputs: ["password"] });
    
    let db = new Database("new-name-for-db", { /*...*/ },
        { additionalSecretOutputs: ["password"] });
    
    db = Database('db',
        opts=ResourceOptions(additional_secret_outputs=['password']))
    
    db, err := NewDatabase(ctx, "db", &DatabaseArgs{ /*...*/ },
        pulumi.AdditionalSecretOutputs([]string{"password"}))
    
    var db = new Database("new-name-for-db", new DatabaseArgs(),
        new CustomResourceOptions { AdditionalSecretOutputs = { "password" } });
    
    var db = new Database("new-name-for-db",
        DatabaseArgs.Empty,
        CustomResourceOptions.builder()
            .additionalSecretOutputs("password")
            .build());
    
    resources:
      db:
        type: Database
        options:
          additionalSecretOutputs:
            - password
    

    Only top-level resource properties can be designated secret. If sensitive data is nested inside of a property, you must mark the entire top-level output property as secret.

    The additionalSecretOutputs resource option does not apply to component resources, and will not have the intended effect.
      Pulumi AI - What cloud infrastructure would you like to build? Generate Program