Pulumi Error: 'Missing required configuration variable' — Cause, Fix, and Troubleshooting Guide
Fix Pulumi 'Missing required configuration variable myproject:dbPassword' by setting the stack config value the program requires with pulumi config set.
- #pulumi
- #iac
- #troubleshooting
- #errors
Fixing errors like this? Get 500 free DevOps AI prompts
500 copy-paste AI prompts for the stack you actually run — one PDF, free.
Overview
error: Missing required configuration variable 'myproject:dbPassword' means your Pulumi program called config.require(...) or config.requireSecret(...) for a value, but that key does not exist in the configuration of the currently selected stack. Pulumi resolves required config at the start of pulumi up or pulumi preview, so the run aborts before any resources are created.
The key is namespaced as <project>:<key>. Here myproject is the project name (from Pulumi.yaml) and dbPassword is the key your code asked for. Pulumi reads config from Pulumi.<stack>.yaml (for example Pulumi.dev.yaml), so a value set on one stack is invisible to another.
error: Missing required configuration variable 'myproject:dbPassword'
please set a value using the command `pulumi config set --secret myproject:dbPassword <value>`
Symptoms
pulumi up,pulumi preview, orpulumi refreshexits immediately with theMissing required configuration variableline.- The message names a specific
<project>:<key>such asmyproject:dbPassword. - The failure appears only on some stacks (for example CI’s
prod) but not on the stack you tested locally. - A brand-new stack fails right after
pulumi stack initbecause itsPulumi.<stack>.yamlhas no values yet. - The error mentions
--secretwhen the program usedrequireSecret.
Common Root Causes
1. The value was never set on this stack
Each stack keeps its own config file. If you set dbPassword on dev but are running prod, the value is missing for prod.
pulumi stack --show-name
pulumi config --stack prod
2. Wrong config key or namespace
config.require("dbPassword") on a project named myproject looks up myproject:dbPassword. Setting a differently-named key (typo, or the wrong project namespace like aws:dbPassword) leaves the required key unset.
3. Config file not committed or checked out
Pulumi.<stack>.yaml holds the values. In CI or a fresh clone, if that file was git-ignored or never committed, the required key is absent even though it works on your laptop.
4. Wrong stack selected
Running against an unexpected stack (or none) means Pulumi reads the wrong Pulumi.<stack>.yaml.
pulumi stack select dev
5. Secret expected but only a plaintext value exists (or vice versa)
requireSecret still resolves a plaintext value, but teams often intend it to be encrypted. If nothing at all is set, it is simply missing.
How to Diagnose
Confirm which stack you are on and what it contains:
pulumi stack ls
pulumi stack --show-name
List every config key for the current stack (secrets show as [secret]):
pulumi config
Check a specific stack without switching to it:
pulumi config --stack prod
Inspect the raw file to see exactly what is stored:
cat Pulumi.dev.yaml
Search your program for the key that Pulumi says is missing so you know whether it is require or requireSecret:
grep -rn "dbPassword" .
Fixes
Set the value on the correct stack (secret): For sensitive values like passwords, use --secret so Pulumi encrypts it in the stack config.
pulumi config set --secret myproject:dbPassword 'S0meStr0ngPlaceholder'
You can drop the myproject: prefix — Pulumi assumes the current project namespace:
pulumi config set --secret dbPassword 'S0meStr0ngPlaceholder'
Set a non-secret value: If the program used config.require (not requireSecret) and the value is not sensitive:
pulumi config set myproject:region us-east-1
Target the exact stack in CI: Do not rely on the selected stack in automation; pass --stack explicitly.
pulumi config set --secret --stack prod myproject:dbPassword "$DB_PASSWORD"
Read the value from the environment instead of hardcoding it: In pipelines, pipe a CI secret into pulumi config set before pulumi up, or restructure the program to read from an env var / secret manager.
echo "$DB_PASSWORD" | pulumi config set --secret myproject:dbPassword
Commit the stack config file: Make sure Pulumi.<stack>.yaml is tracked so fresh clones and CI have it. Secret values remain encrypted in the file and are safe to commit when using a proper secrets provider.
git add Pulumi.prod.yaml
git commit -m "Add prod stack config"
Provide a default in code (optional): If the value is truly optional, switch config.require to config.get with a fallback so the program no longer hard-fails.
const dbPassword = config.get("dbPassword") ?? "changeme";
What to Watch Out For
Missing required configuration variableis per-stack — setting it ondevdoes nothing forprod. Set it on every stack that needs it.- The
<project>:namespace matters.aws:region(provider config) is different frommyproject:region(your program’s config). pulumi config set --secretencrypts using the stack’s secrets provider; you still need that provider available to decrypt onpulumi up.- Never paste real passwords into a shell history — use
echo "$VAR" | pulumi config set --secret <key>or read from a secret store. - Renaming your project in
Pulumi.yamlchanges the namespace and can orphan previously-set values. pulumi config setwithout--stackwrites to the currently selected stack; double-checkpulumi stack --show-namefirst.
Related Guides
- Pulumi Error: ‘passphrase must be set’ — Troubleshooting Guide
- Pulumi Error: ‘failed to decrypt configuration’ — Troubleshooting Guide
- Pulumi Error: ‘no stack named dev found’ — Troubleshooting Guide
Get 500 Battle-Tested DevOps AI Prompts — Free
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.