1. Docs
  2. Pulumi ESC
  3. Integrations
  4. Dynamic secrets
  5. aws-secrets

aws-secrets

    The aws-secrets provider enables you to dynamically import Secrets from AWS Secrets Manager into your Environment. The provider will return a map of names to Secrets.

    Example

    aws:
      login:
        fn::open::aws-login:
          oidc:
            roleArn: arn:aws:iam::123456789:role/esc-oidc
            sessionName: pulumi-environments-session
      secrets:
        fn::open::aws-secrets:
          region: us-west-1
          login: ${aws.login}
          get:
            api-key:
              secretId: api-key
            app-secret:
              secretId: app-secret
    

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

    • esc open <your-org>/<your-environment> command of the Pulumi ESC CLI
    • pulumi env open <your-org>/<your-environment> command of the Pulumi CLI

    Make sure to replace <your-org> and <your-environment> with the values of your Pulumi organization and environment file respectively. You should see output similar to the following:

    {
      "aws": {
        "login": {
          "accessKeyId": "ASIA....",
          "secretAccessKey": "mWdm....",
          "sessionToken": "Fwo...."
        },
        "secrets": {
          "api-key": "my-api-key",
          "app-secret": "my-app-secret"
        }
      }
    }
    

    Inputs

    PropertyTypeDescription
    regionstringThe AWS region to use.
    loginAWSSecretsLoginCredentials to use to log in to AWS.
    getmap[string]AWSSecretsGetA map from names to secrets to read from AWS Secrets Manager. The outputs will map each name to the secret’s sensitive data.

    AWSSecretsLogin

    PropertyTypeDescription
    accessKeyIdstringThe AWS access key ID
    secretAccessKeystringThe AWS secret access key
    sessionTokenstring[Optional] - The AWS session token, if any.

    AWSSecretsGet

    PropertyTypeDescription
    secretIdstringThe ID of the secret to import.
    versionIdstring[Optional] - The version of the secret to import.
    versionStagestring[Optional] - The version stage of the secret to import.

    Outputs

    PropertyTypeDescription
    N/AobjectA map of names to imported Secrets.
      PulumiUP 2024. Watch On Demand.