Skip to content
Latchkey

pulumi config Command Reference

Set and read per-stack configuration and encrypted secrets.

pulumi config manages the configuration bag for a stack. Plain values are stored in the stack config file; secret values are encrypted so they can be committed safely.

What it does

pulumi config reads and writes configuration scoped to the active stack. Values set with --secret are encrypted with the stack secrets provider, so the stack config file is safe to commit alongside your program.

Common flags and usage

  • pulumi config set KEY VALUE: set a plain configuration value
  • pulumi config set --secret KEY VALUE: set an encrypted secret value
  • pulumi config get KEY: read a single value
  • pulumi config: list all values for the current stack
  • --stack / -s NAME: target a specific stack

Example

shell
- name: Configure stack
  env:
    PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  run: |
    pulumi stack select prod
    pulumi config set aws:region us-east-1
    pulumi config set --secret dbPassword "${{ secrets.DB_PASSWORD }}"

In CI

Inject secrets with pulumi config set --secret, sourcing the value from your CI secret store rather than committing it in plaintext. Pin region and other plain settings per stack so an up never relies on ambient environment state. Always select the stack first.

Key takeaways

  • config stores per-stack settings; --secret encrypts sensitive values.
  • Source secret values from the CI secret store, not from committed plaintext.
  • Encrypted config is safe to commit because the secrets provider seals it.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →