Centralized configuration, zero sprawl.
Compose, manage, and share configuration and secrets across environments with Pulumi ESC.
One interface for all your secrets and configuration
Connect any secrets store and control everything centrally.
Pulumi ESC (Environments, Secrets, Configuration) centralizes secrets from every vault and cloud provider. Supports AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, 1Password, and more, and connects them all into a single control plane with consistent access, RBAC, and audit logging across every provider.
Eliminate secrets sprawl
Secure by default
Flexible access, anywhere
"With Pulumi ESC, our developers get dynamic AWS and Azure credentials on-demand. Onboarding new developers is quick and secure, with no more manually filling in .env templates."
Platform Lead
Centrally manage every environment
Manage secrets across every environment and service from a single control plane
Dynamic credentials
Generate just-in-time, short-lived credentials via OIDC. Automatically revoke access when leases expire.
Composable environments
Build complex configurations from simple, reusable components. Inherit common settings while overriding specific values.
Full audit trail
Track every access, every change, every user. Complete visibility into who’s using what secrets and when.
Version control
Every environment change is versioned. Roll back instantly or access previous configurations when needed.
RBAC & teams
Fine-grained access controls integrated with your identity provider. SAML/SCIM support for enterprise SSO.
Extensible plugin model
Support for custom secret stores through our plugin architecture. Integrate with any system.
"Pulumi ESC has been a lifesaver for us. It’s nice to throw everything behind an ESC environment and eliminate one-off granting IAM permissions and other issues related to static credentials."
Software Engineering Team Lead