Resource option: additionalSecretOutputs
The additionalSecretOutputs resource option specifies a list of named output properties that should be treated as secrets, which means they will be encrypted. It augments the list of values that Pulumi detects, based on secret inputs to the resource.
Applies to custom resources only. The
additionalSecretOutputs resource option applies only to custom resources. In the TypeScript, C#, and Java SDKs it is defined on CustomResourceOptions, so passing it to a component resource is a compile-time error. The Python and Go SDKs expose a single resource-options type, so the option is accepted at compile time and has no direct effect when applied to a component resource.This example ensures that the password generated for a database resource is an encrypted secret:
let db = new Database("new-name-for-db", { /*...*/ },
{ additionalSecretOutputs: ["password"] });
db = Database('db',
opts=ResourceOptions(additional_secret_outputs=['password']))
db, err := NewDatabase(ctx, "db", &DatabaseArgs{ /*...*/ },
pulumi.AdditionalSecretOutputs([]string{"password"}))
var db = new Database("new-name-for-db", new DatabaseArgs(),
new CustomResourceOptions { AdditionalSecretOutputs = { "password" } });
var db = new Database("new-name-for-db",
DatabaseArgs.Empty,
CustomResourceOptions.builder()
.additionalSecretOutputs("password")
.build());
resources:
db:
type: Database
options:
additionalSecretOutputs:
- password
Only top-level resource properties can be designated secret. If sensitive data is nested inside of a property, you must mark the entire top-level output property as secret.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.