Supplying Cloud Credentials to Pulumi Deployments
In order for a Pulumi IaC operation like update or preview work, the Pulumi CLI must be able to access credentials that will allow it to perform the necessary CRUD operations on the resources in your stack. In order for Pulumi Deployments to access the necessary cloud credentials to run your Pulumi operation there are two common approaches you can take:
- Use Pulumi Deployments’ OIDC integration where possible (we support AWS, Azure, and Google Cloud), and store any remaining required secrets or configuration in Pulumi Deployments Environment Variables.
- Use Pulumi ESC to define an Environment (or Environments), and import the environment(s) into your stack.
Choosing between Pulumi ESC Environments and Pulumi Deployments OIDC
Pulumi recommends using ESC Environments over Deployments OIDC for the following reasons:
- Pulumi ESC Environments are more portable compared to Deployments OIDC: Ignoring any locally stored credentials, e.g., environment variables set in your command shell, you can have greater confidence that a Pulumi Deployments operation will succeed if it succeeds on your local machine.
- Pulumi ESC Environments are more modular compared to Deployments OIDC: Deployments settings are applied on a per-stack basis, which means that the OIDC configuration must be repeated for every stack that is using Deployments OIDC. In comparison, Pulumi ESC Environments are centrally defined and may be imported into any number of Pulumi stacks.
- Pulumi ESC has more native integrations with popular clouds for both OIDC and managed secrets services, and other tools like Kubernetes, Docker, etc.
- Pulumi ESC Environments are composable: Environments can import other Environments, which removes the need to repeat configuration information.
- Pulumi ESC Environments support versioning, allowing you to roll out changes to an environment in a controlled fashion by pinning Environment imports to a specific version of an Environment.
One important difference to be mindful of is that Pulumi Deployments OIDC applies to the entire Deployments process (including pre-run commands), whereas a Pulumi ESC environment only applies to the Pulumi IaC operation (e.g. pulumi up). However, there is a workaround for this limitation: Each pre-run command can be prefixed with the pulumi env run command so that the pre-run command executes in the context of specified Pulumi ESC Environment.
For example, to install packages from a private repository, you might run the following pre-run command:
pulumi env run my-esc-project/my-esc-environment -- npm install
Next Steps
Both Pulumi Deployments OIDC and Pulumi ESC require configuring an OIDC Identity Provider in your cloud environment in order to enable the secure exchange of tokens between Pulumi Cloud and your cloud provider in order to obtain temporary credentials. For more information:
- If using Pulumi ESC, see Configuring OpenID Connect for Pulumi ESC.
- If using Pulumi Deployments OIDC, see OIDC Setup for Pulumi Deployments.
After an OIDC Identity Provider has been configured:
- If you are using Pulumi ESC, ensure that your Pulumi Deployments token has permissions to open any imported Pulumi ESC Environments. For more information, see Deployment Permissions
- If you are using Pulumi Deployments OIDC, set up your Deployment Settings for your stack to use your OIDC configuration.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.