Guides
How-to guides for consuming Pulumi ESC from the tools you already use. Each page is a self-contained walkthrough — install steps, the YAML or commands you need, and where ESC fits in the flow.
For first-party ESC integrations (the Pulumi Service Provider, Automation API, the VS Code extension, the External Secrets Operator, and the Secrets Store CSI Driver), see Integrations.
Authentication
- Configuring OIDC — set up OpenID Connect trust between ESC and AWS, Azure, GCP, Doppler, Infisical, or Vault.
Use ESC with Pulumi IaC
- Manage ESC with Pulumi IaC — consume environments from a Pulumi program.
- Sync secrets to external platforms — push ESC secrets and config to AWS Secrets Manager, Azure Key Vault, GitHub, Vault, and more.
Run commands
- Run commands with pulumi env run — inject environment values into any command or script.
Integrate with external tools
Use ESC with tools that don’t have a dedicated Pulumi-built integration component:
- GitHub Actions — inject ESC values and short-lived cloud credentials into workflows.
- Docker — load environment variables and secrets into Docker workflows.
- direnv — load ESC values automatically when you
cdinto a directory. - Terraform — supply temporary credentials and input variables to the Terraform CLI via
pulumi env run. - Cloudflare — manage Cloudflare Workers secrets via ESC.
- Kubernetes cluster access — store and consume
kubeconfigfiles and cluster credentials in ESC.