pulumi config set: Usage & Common CI Errors
Set the configuration and secrets a stack’s program reads.
pulumi config set writes a configuration value (or encrypted secret) for the selected stack into its Pulumi.<stack>.yaml. Programs read these with the Config API at deploy time.
What it does
pulumi config set <key> <value> stores a plaintext setting; with --secret it encrypts the value using the stack’s secrets provider so it is safe to commit. Values are scoped per stack, so dev and prod can differ. Use config get/rm to read or remove them.
Common usage
# Set a plain config value
pulumi config set aws:region us-east-1 --stack acme/prod
# Set an encrypted secret
pulumi config set dbPassword s3cr3t --secret --stack acme/prod
# Read config from stdin (avoids shell history)
cat token.txt | pulumi config set apiToken --secretCommon error in CI: passphrase required to set a secret
Setting a --secret fails with "error: constructing secrets manager: passphrase must be set with PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE". The passphrase secrets provider has no key in CI. Fix: export PULUMI_CONFIG_PASSPHRASE (from a CI secret) before any config/up command, or use a cloud KMS secrets provider so no passphrase is needed. Always pass --stack so the value lands in the intended environment.
Key options
| Option | Purpose |
|---|---|
| <key> <value> | Set a configuration value |
| --secret | Encrypt the value |
| --stack NAME | Target stack |
| --path | Treat the key as a nested path |
| get / rm | Read or delete a value |