Rotating secrets
Operational guidance for rotating secrets with Pulumi ESC. For background on what rotation is and how the fn::rotate::* syntax works, see Rotators.
Best practices
See Best practices for guidance on least privilege, separation of concerns, composing rotated environments, and handling partial failures.
Rotation connectors
Some rotators need to reach the credential they’re rotating — for example, the mysql and postgres rotators must connect to the database to change a user’s password. When the target lives in a private network that Pulumi Cloud can’t reach directly, a rotation connector runs the rotation inside that network on Pulumi Cloud’s behalf.
Available connectors
| Connector | Runtime | Used by |
|---|---|---|
| AWS Lambda | AWS Lambda inside a VPC | mysql, postgres |
Setup checklists
- Database user setup — pre-create the database user (and grant the right permissions) that a rotator will manage.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.