AdditionalSecretOutputs

The additionalSecretOutputs resource option specifies a list of named output properties that should be treated as secrets, which means they will be encrypted. It augments the list of values that Pulumi detects, based on secret inputs to the resource.

This example ensures that the password generated for a database resource is an encrypted secret:

let db = new Database("new-name-for-db", { /*...*/ },
    { additionalSecretOutputs: ["password"] });
let db = new Database("new-name-for-db", { /*...*/ },
    { additionalSecretOutputs: ["password"] });
db = Database('db',
    opts=ResourceOptions(additional_secret_outputs=['password']))
db, err := NewDatabase(ctx, "db", &DatabaseArgs{ /*...*/ },
    pulumi.AdditionalSecretOutputs([]string{"password"}))
var db = new Database("new-name-for-db", new DatabaseArgs(),
    new CustomResourceOptions { AdditionalSecretOutputs = { "password" } });
var db = new Database("new-name-for-db",
    DatabaseArgs.Empty,
    CustomResourceOptions.builder()
        .additionalSecretOutputs("password")
        .build());
resources:
  db:
    type: Database
    options:
      additionalSecretOutputs:
        - password

Only top-level resource properties can be designated secret. If sensitive data is nested inside of a property, you must mark the entire top-level output property as secret.