Secrets & Configuration

Manage all your secrets and configuration at scale

Get Started Book a Demo

One interface for all your secrets

Pulumi ESC (Environments, Secrets, Configuration) centralizes secrets from every vault and cloud provider. No more juggling AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault separately. Connect them all, manage them centrally, access them anywhere.

  • Eliminate secrets sprawl. Connect to any secrets store—HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, 1Password, and more. One interface for all your secrets.
  • Secure by default. Dynamic, short-lived credentials with OIDC. Full RBAC, versioning, and audit logging. No more plaintext secrets anywhere.
  • Engineer-friendly access. CLI, API, SDKs, and Kubernetes operators. Access secrets from anywhere without compromising security.
  • Integrated with Pulumi IaC. Native integration with Pulumi infrastructure code, or use standalone with any application or workflow.

“With Pulumi ESC, our developers get dynamic AWS and Azure credentials on-demand. Onboarding new developers is quick and secure, with no more manually filling in .env templates.”

Liam White, Platform Lead

Centrally manage every environment

screenshot of Pulumi ESC management console

“Pulumi ESC has been a lifesaver for us. It’s nice to throw everything behind an ESC environment and eliminate one-off granting IAM permissions and other issues related to static credentials.”

JK Jensen, Software Engineering Team Lead

secrets sources examples diagram

Key Features

Dynamic Credentials

Generate just-in-time, short-lived credentials via OIDC. Automatically revoke access when leases expire.

Environment Composition

Build complex configurations from simple, reusable components. Inherit common settings while overriding specific values.

Full Audit Trail

Track every access, every change, every user. Complete visibility into who's using what secrets and when.

Version Control

Every environment change is versioned. Roll back instantly or access previous configurations when needed.

RBAC & Teams

Fine-grained access controls integrated with your identity provider. SAML/SCIM support for enterprise SSO.

Extensible Plugin Model

Support for custom secret stores through our plugin architecture. Integrate with any system.

How it works

Pulumi ESC architecture diagram

Get started with Pulumi secrets management

Start managing secrets today

Experience enterprise-grade secrets management with Pulumi Cloud’s free tier.

Start Free Book a Demo
Learn more

Explore the documentation and migration guides to implement ESC in your infrastructure.

Read the Docs Migration Guide