Resource option: additionalSecretOutputs
The additionalSecretOutputs
resource option specifies a list of named output properties that should be treated as secrets, which means they will be encrypted. It augments the list of values that Pulumi detects, based on secret inputs to the resource.
This example ensures that the password generated for a database resource is an encrypted secret:
let db = new Database("new-name-for-db", { /*...*/ },
{ additionalSecretOutputs: ["password"] });
let db = new Database("new-name-for-db", { /*...*/ },
{ additionalSecretOutputs: ["password"] });
db = Database('db',
opts=ResourceOptions(additional_secret_outputs=['password']))
db, err := NewDatabase(ctx, "db", &DatabaseArgs{ /*...*/ },
pulumi.AdditionalSecretOutputs([]string{"password"}))
var db = new Database("new-name-for-db", new DatabaseArgs(),
new CustomResourceOptions { AdditionalSecretOutputs = { "password" } });
var db = new Database("new-name-for-db",
DatabaseArgs.Empty,
CustomResourceOptions.builder()
.additionalSecretOutputs("password")
.build());
resources:
db:
type: Database
options:
additionalSecretOutputs:
- password
Only top-level resource properties can be designated secret. If sensitive data is nested inside of a property, you must mark the entire top-level output property as secret.
The
additionalSecretOutputs
resource option does not apply to component resources, and will not have the intended effect.Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.