Rotating Secret Providers

Posted on

Customers and users have asked for the ability to change the secrets manager associated with their stacks. This would allow a user to rotate their secrets providers when people leave their organization or even to be able to migrate to another secret manager of their choice. The v2.8.0 release of Pulumi adds support for this specific feature.

Let’s have a look at how to change a secrets provider for an existing stack:

pulumi stack change-secrets-provider "awskms://alias/ChangeSecretsProvider?region=us-west-2"

This command will change the secrets provider for the currently selected stack. It will ensure that the configuration values in Pulumi.<stack>.yaml are re-encrypted with the new secrets provider and that the latest checkpoint (state file) also has any secrets held within are migrated with the new secrets provider.

Creating New Stacks based on existing stacks

When creating a new stack, we added the ability to create that new stack based on the configuration of an existing stack. This means that when you need to create a new developer stack or a new stack for a different environment, then you can create that stack as follows:

pulumi stack init test --copy-config-from dev

This flag creates a new test stack and initiates the default secrets provider for the stack. It will then get the existing configuration from the dev stack and re-encrypt it to the test stack’s default secret provider. We can, of course, pass a secrets provider to this new stack:

pulumi stack init test --secrets-provider="awskms://alias/ChangeSecretsProvider?region=us-west-2" --copy-config-from dev

Copying Config Between Stacks

When working on a Pulumi project that has multiple stacks, there are times that we create a configuration in one of the stacks that need to be copied to the other stacks in the project. Rather than selecting each stack individually, we can now programmatically copy the configuration between stacks. Let’s take an example where a new database password was added to the dev stack. We can copy that password to the production stack as follows:

pulumi config cp MyDatabasePassword --dest production

This ensures that the MyDatabasePassword configuration will be re-encrypted into the production stack. If there’s a situation where we want to copy all of the configuration between the dev and production stacks, then we omit the key (MyDatabasePassword):

pulumi config cp --dest production

We can iterate over all of the stacks that we need to copy the configuration to and the new configuration values will be encrypted as per the new stack.

Learn More

If you’d like to learn about Pulumi and manage your infrastructure through code, get started today. Pulumi is open source and free to use.

As always, you can check out our code on GitHub, follow us on Twitter, subscribe to our YouTube channel, or join our Community Slack channel if you have any questions, need support, or just want to say hello.