pulumi-config

Manage Pulumi configuration values

TLDR

View current configuration in JSON format

$ pulumi config [[-j|--json]]

View configuration for a specified stack

$ pulumi config [[-s|--stack]] [stack_name]

Get the value of a configuration key

$ pulumi config get [key]

Remove a configuration value

$ pulumi config rm [key]

Set a value for a configuration key from a file

$ cat [path/to/file] | pulumi config set [key]

Set a secret value (e.g. API key) for a configuration key and store/display as ciphertext

$ pulumi config set --secret [key] [S3cr37_value]

Remove multiple configuration values from a specified configuration file

$ pulumi config --config-file [path/to/file] rm-all [key1 key2 ...]

pulumi config command [options]
pulumi config set key [value] [options]
pulumi config get key [options]
pulumi config rm key [options]
pulumi config ls [options]
pulumi config refresh [options]

PARAMETERS

set key [value]
Sets a configuration value for the current or specified stack. If no value is provided, it will be prompted interactively.

--secret: Encrypts the value as a secret.
--path: Treats the key as a path (e.g., 'a.b.c' for nested objects).
--stack : Operate on a specific stack instead of the current one.

get key
Retrieves a configuration value from the current or specified stack.

--path: Treats the key as a path.
--stack : Operate on a specific stack.

rm key
Removes a configuration value from the current or specified stack.

--path: Treats the key as a path.
--stack : Operate on a specific stack.

ls
Lists all configuration values for the current or specified stack.

--json: Outputs the configuration in JSON format.
--stack : Operate on a specific stack.

refresh
Refreshes the plaintext display of secret config values if the stack's encryption passphrase has changed or if secrets need re-encryption.

--stack : Operate on a specific stack.

DESCRIPTION

pulumi config is a core subcommand of the Pulumi Command Line Interface (CLI) designed for managing configuration settings specific to a Pulumi stack. It provides a robust mechanism to handle dynamic and environment-specific values, such as API keys, region settings, or resource-specific properties, which often differ between deployment environments (e.g., development, staging, production).

The command allows users to set new configuration values, get existing ones, remove unnecessary entries, and list all current settings. A key feature is its ability to handle sensitive data through the --secret option, ensuring that values like passwords or tokens are encrypted and stored securely, preventing them from being exposed in plaintext. This separation of configuration from code promotes reusability, enhances security, and simplifies the management of infrastructure-as-code projects across various operational contexts. Configuration changes typically necessitate running pulumi up to apply them to your deployed resources.

CAVEATS

Configuration values are specific to each Pulumi stack. Changing configuration values, especially sensitive ones, typically requires a pulumi up operation to propagate these changes to your deployed cloud resources. Sensitive values encrypted with --secret can only be decrypted and displayed if the correct stack encryption passphrase is known and provided.

SECRETS MANAGEMENT

The --secret option is vital for securing sensitive data such as API keys, database credentials, or private access tokens. When a value is set as a secret, Pulumi encrypts it before storing it in the stack's configuration file (e.g., Pulumi..yaml). Decryption requires the stack's encryption passphrase, which can be managed by the Pulumi Cloud or provided by the user. This feature significantly enhances the security posture of infrastructure deployments.

PATH-BASED CONFIGURATION

The --path option enables structuring configuration values hierarchically, similar to JSON paths. For example, pulumi config set myService:database:url "mysql://localhost:3306/mydb" --path allows you to define nested configuration objects. This approach improves organization and readability, especially in complex projects with many inter-related configuration settings.

HISTORY

Pulumi, founded in 2017, developed the Pulumi CLI as a core tool for managing cloud infrastructure using familiar programming languages. The pulumi config command has been an integral part of the CLI since its early days, addressing the fundamental need for robust configuration management in infrastructure as code. It evolved with Pulumi's focus on secure and reproducible deployments, solidifying its role in handling environment-specific parameters and sensitive data.