Many teams live with the fear that a production environment might be accidentally opened, exposing credentials or sensitive systems before anyone even notices.
We’re excited to announce a new feature for Pulumi ESC: Open approvals. A governance capability that lets organizations require review and sign-off before an environment is opened (i.e. activated or exposed)
Did you know that 80% of unplanned outages aren’t caused by hardware failures or cyberattacks, but by the very changes we make to improve our systems?
Pulumi ESC already enables safer change management with our innovative versioning capability which allows users to track and roll back environment revisions.
Building on this foundation, we’re excited to announce the release of Approvals in Pulumi ESC—a new feature that enables organizations to bring governance and oversight directly into their environment configuration workflows.
With Approvals, teams can require explicit review and sign-off before applying changes to ESC-managed environments, bringing the same rigor to configuration as they already have with infrastructure-as-code and application development.
Snowflake is the data cloud powerhouse for countless businesses, critical for everything from customer dashboards to billing pipelines. The stakes are immense: this data must be strictly secured and always available. But managing this with static credentials or manual key rotation creates persistent security vulnerabilities and introduces operational instability, risking disruptions during clumsy updates. Pulumi ESC eliminates this dilemma with two purpose-built Snowflake integrations:
snowflake-login: Provides dynamic, short-lived OIDC tokens for temporary authentication to Snowflake.snowflake-user: Automates the rotation of RSA keypair secrets for Snowflake users, essential for secure key-pair authentication.
Managing secrets effectively is no longer a “nice-to-have”—it’s a must-have for any organization building and scaling applications in the cloud. Static, long-lived credentials like database passwords, API keys, and IAM user credentials are a major security vulnerability. They’re often overexposed, residing in source code, configuration files, or other easily accessible locations. Manual rotation processes are tedious, error-prone, and infrequent, leaving a wide window of opportunity for potential breaches. Today, we’re thrilled to announce a powerful new capability in Pulumi ESC that directly addresses this challenge: Rotated Secrets.
Managing secrets in modern cloud applications can be challenging, particularly when it comes to rotation policies. While dynamic secrets (like AWS IAM temporary credentials) handle this automatically, many systems still rely on static secrets that require periodic rotation.
Static secrets, like database passwords or API keys, should be rotated regularly to maintain security, and services depending on these secrets need time to transition to new credentials to avoid downtime. This makes rotating credentials error-prone, and often forgotten.
In this post, we’ll explore an approach for automating static secret rotation using Pulumi ESC combined with Pulumi IaC.