Pulumi ESC

Environments, Secrets, and Configuration

Centralized environments, secrets, and configuration management for cloud applications and infrastructure

Today’s cloud environments access a multitude of configurations – including network settings, deployment options, API Keys, and other important secrets like database credentials –  from many different types of cloud infrastructure and SaaS services. Every team stores configuration settings like these in different locations, from secrets managers to plaintext files. This sprawl results in uncontrolled and untraceable configurations, causing operational bottlenecks, outages due to human error, and security breaches. Pulumi ESC enables you to centrally manage all configuration and secrets across your organization.

Benefits of Pulumi ESC

Frictionless Security

Easy-to-use single source of truth for all configuration and secrets with guardrails. Seamlessly adopt short-lived dynamic secrets.

Improve Developer Efficiency

Never have downtime over changed configuration. Change once and have it updated everywhere.

Control Access and Compliance

Enforce least-privileged access through role-based access controls. All changes are fully logged for auditing.

How Pulumi ESC works

Pulumi ESC architecture diagram

Pulumi ESC enables you to define environments, which contain collections of secrets and configuration. Each environment can be composed from multiple environments.


Pulumi ESC supports a variety of configuration and secrets sources, and it has an extensible plugin model that allows third-party sources.


Pulumi ESC has a rich API that allows for easy integration. Every value in an environment can be accessed from any execution environment.


Every environment can be locked down with RBAC, versioned, and audited.

Centrally manage all environments

screenshot of Pulumi ESC management console

Environments contain collections of secrets and configuration. Compose environments together from multiple other environments to allow easy inheritance of shared configuration, eliminating “copy and paste errors”.


Never lose track of where configurations are being used and where. Trace the downstream impact of any configuration to see if the impact matches your expectations. 


Create different versions of environments, so you can gracefully migrate between breaking configuration changes.

Natively integrated with your infrastructure

Use any secrets source

Pull configuration and secrets from any source, static or dynamic. Seamlessly adopt industry best practices of using short-lived, dynamic secrets that are more secure. 

Secret sources examples
Access from anywhere

Consume configuration and secrets in any environment and from any application or tool. You can use Pulumi ESC for all your configuration and secrets needs independently of Pulumi’s core infrastructure as code offerings.

Exectution environments examples

Frequently asked questions

Get started today

Follow the Getting Started guide to begin using Pulumi ESC