Introducing ESC Connect: Integrate Any Secret Source with Pulumi ESC
Posted on
We’re excited to announce ESC Connect — a new capability that lets you integrate any secret source with Pulumi ESC by building simple HTTPS adapter services. If you’ve ever needed to pull secrets from a proprietary system, a legacy tool, or a third-party service that doesn’t have native ESC support, you no longer have to wait for us to build a provider. You can build your own adapter in an afternoon and start using it immediately.
Pulumi ESC has native integrations with popular secret management systems like AWS Secrets Manager, Azure KeyVault, HashiCorp Vault, 1Password, and others. But in real-world infrastructure, you often need to work with systems that fall outside this list. Maybe you built a custom secret management system years ago and it’s still running in production. Maybe you’re using a niche third-party service. Maybe your secrets are locked behind a firewall in a legacy system that predates modern APIs.
ESC Connect changes this by letting you build simple HTTPS adapter services using the external provider. Your adapter handles requests from ESC, fetches secrets from your custom source, and returns them. ESC handles authentication with signed JWT tokens, so you get fine-grained control over access without building a complete security infrastructure.
Building an adapter
Here’s an ESC environment configuration that uses ESC Connect:
values:
customSecrets:
fn::open::external:
url: https://my-adapter.example.com/fetch-secrets
request:
secretName: DATABASE_PASSWORD
When you open this environment, ESC makes an authenticated POST request to your adapter. Your adapter validates the JWT token, fetches the secret from your source, and returns it:
const handler = async (event) => {
// 1. Validate JWT from Authorization header
const claims = await validateJWT(event.headers.Authorization);
// 2. Verify audience and body hash for security
verifyAudience(claims.aud, event.url);
verifyBodyHash(event.body, claims.body_hash);
// 3. Fetch secret from your source
const request = JSON.parse(event.body);
const secret = await fetchFromYourSource(request.secretName);
// 4. Return the secret
return { statusCode: 200, body: JSON.stringify(secret) };
};
The example reference implementation includes an ESCRequestValidator class that handles JWT verification and request integrity checking for you. See the documentation for detailed security requirements and examples in other languages.
Automated rotation
ESC Connect also supports automated secret rotation through fn::rotate::external. Your rotation adapter receives the current credential state, generates new credentials, updates your target system, and returns the new state. ESC handles scheduling and maintains both current and previous credentials during rotation transitions for zero-downtime rotation.
values:
rotatedCredentials:
fn::rotate::external:
inputs:
url: https://my-adapter.example.com/rotate
request:
service: database
environment: production
Learn more about secret rotation in Pulumi ESC and the external rotator implementation patterns.
Try it out
ESC Connect is available now in Pulumi ESC. We’ve created a deployable reference adapter implementation on AWS Lambda that demonstrates secure request validation:
Check out the documentation for the external provider and external rotator to learn more about building production adapters.
To learn more about Pulumi ESC, explore the ESC documentation or get started for free. If you build an adapter for a system that others might find useful, share it in the Pulumi Community Slack — we’d love to see what you build.
