--- title: additionalSecretOutputs url: /docs/iac/concepts/resources/options/additionalsecretoutputs/ --- The `additionalSecretOutputs` resource option specifies a list of named output properties that should be treated as [secrets](/docs/concepts/secrets/), which means they will be encrypted. It augments the list of values that Pulumi detects, based on secret inputs to the resource. > **Applies to custom resources only.** The `additionalSecretOutputs` resource option applies only to custom resources. In the TypeScript, C#, and Java SDKs it is defined on `CustomResourceOptions`, so passing it to a [component resource](/docs/iac/concepts/components/) is a compile-time error. The Python and Go SDKs expose a single resource-options type, so the option is accepted at compile time and has no direct effect when applied to a component resource. This example ensures that the password generated for a database resource is an encrypted secret: ```typescript let db = new Database("new-name-for-db", { /*...*/ }, { additionalSecretOutputs: ["password"] }); ``` ```python db = Database('db', opts=ResourceOptions(additional_secret_outputs=['password'])) ``` ```go db, err := NewDatabase(ctx, "db", &DatabaseArgs{ /*...*/ }, pulumi.AdditionalSecretOutputs([]string{"password"})) ``` ```csharp var db = new Database("new-name-for-db", new DatabaseArgs(), new CustomResourceOptions { AdditionalSecretOutputs = { "password" } }); ``` ```java var db = new Database("new-name-for-db", DatabaseArgs.Empty, CustomResourceOptions.builder() .additionalSecretOutputs("password") .build()); ``` ```yaml resources: db: type: Database options: additionalSecretOutputs: - password ``` Only top-level resource properties can be designated secret. If sensitive data is nested inside of a property, you must mark the entire top-level output property as secret.