If you do pulumi stack and get an error like this:
error: getting selected stack: failed to decrypt: incorrect passphrase, please set PULUMI_CONFIG_PASSPHRASE to the correct passphrase or set PULUMI_CONFIG_PASSPHRASE_FILE to a file containing the passphrase
Check what value is being used for the passphrase, in powershell, $env:PULUMI_CONFIG_PASSPHRASE.
Ultimately you simply need to ensure the passphrase is correct. The issue I had was it looked correct but the project I was working on at the time had a different passphrase to our other projects. Turns out the passphrase for this project was "", an empty string.
Best practice suggestion - keep the passphrase consistent across all dev projects and stacks, then different for all prod stacks.
To change the password for a stack you can use this: pulumi stack change-secrets-provider passphrase. Apply this to ALL stacks. Also do it for the PROD stack but you want to use a different passphrase for that stack.
Why make the passphrase consistent? When you start working with multiple Pulumi projects, when you change projects, you have to remember to log into the correct Pulumi backend, plus ensure you are logged into the correct Azure tenant and have the correct subscription selected. Having different passphrases is one more thing to trip up you and your developers and waste time. Some projects require more security, obviously in those cases you want to prefer being more secure vs being more convenient.
Top comments (0)