- Fix for "Custom providers can leak credentials to state file from environment variables"
[236](https://github.com/pulumi/pulumi-aws-native/issues/236)
**PLEASE READ**
If you set credentials through environment variables (e.g. `AWS_SECRET_ACCESS_KEY`) AND
use the SDK to create a provider where these values are not explicitly set, (e.g. `new awsnative.Provider("...");`)
prior versions of the `aws-native` provider may have included the credentials in the state in clear text.
All users are recommended to upgrade their provider version to this or newer version and run a `pulumi up`.
Please also rotate the affected credentials after all relevant stacks have been updated.
You can check if your state file contains credentials by running `pulumi stack export | grep -A 3 "accessKey\|secretKey\|token"`
and checking if any unencrypted values are produced. After the update these values will either not be present
or be stored as encrypted secrets using your stack's preferred encryption provider.
Note that the Pulumi state backend also encrypts the state as a whole and other state backends
support a similar mechanism which should significantly limit exposure of the creds.
Nonetheless, We sincerely regret the inconvenience this causes.