Centralized environments, secrets, and configuration management for cloud applications and infrastructure
Today’s cloud environments access a multitude of configurations – including network settings, deployment options, API Keys, and other important secrets like database credentials – from many different types of cloud infrastructure and SaaS services. Every team stores configuration settings like these in different locations, from secrets managers to plaintext files. This sprawl results in uncontrolled and untraceable configurations, causing operational bottlenecks, outages due to human error, and security breaches. Pulumi ESC enables you to centrally manage all configuration and secrets across your organization.
Benefits of Pulumi ESC
Frictionless Security
Easy-to-use single source of truth for all configuration and secrets with guardrails. Seamlessly adopt short-lived dynamic secrets.
Improve Developer Efficiency
Never have downtime over changed configuration. Change once and have it updated everywhere.
Control Access and Compliance
Enforce least-privileged access through role-based access controls. All changes are fully logged for auditing.
How Pulumi ESC works
Pulumi ESC enables you to define environments, which contain collections of secrets and configuration. Each environment can be composed from multiple environments.
Pulumi ESC supports a variety of configuration and secrets sources, and it has an extensible plugin model that allows third-party sources.
Pulumi ESC has a rich API that allows for easy integration. Every value in an environment can be accessed from any execution environment.
Every environment can be locked down with RBAC, versioned, and audited.
Centrally manage all environments
Composable
Environments contain collections of secrets and configuration. Compose environments together from multiple other environments to allow easy inheritance of shared configuration, eliminating “copy and paste errors”.
Traceable
Never lose track of where configurations are being used and where. Trace the downstream impact of any configuration to see if the impact matches your expectations.
Versionable
Create different versions of environments, so you can gracefully migrate between breaking configuration changes.
Natively integrated with your infrastructure
Use any secrets source
Pull configuration and secrets from any source, static or dynamic. Seamlessly adopt industry best practices of using short-lived, dynamic secrets that are more secure.
Access from anywhere
Consume configuration and secrets in an environment from any application or tool. You can use ESC for all your configuration and secrets needs independently of Pulumi’s core infrastructure as code offerings.
Use any secrets source
Pull configuration and secrets from any source, static or dynamic. Seamlessly adopt industry best practices of using short-lived, dynamic secrets that are more secure.
Access from anywhere
Consume configuration and secrets in any environment and from any application or tool. You can use Pulumi ESC for all your configuration and secrets needs independently of Pulumi’s core infrastructure as code offerings.
Frequently asked questions
-
Pulumi ESC (Environments, Secrets and Configuration), is an open source project and managed service of Pulumi Cloud that enables teams to manage hierarchical collections of configuration and secrets and consume them from a variety of different infrastructure and application services.
Pulumi ESC integrates with Pulumi Cloud identity and RBAC to provide rich control over access to secret configuration within an organization. Pulumi ESC supports multiple configuration providers, enabling static key/value configuration as well as dynamically retrieved configuration and secrets via OIDC and additional providers like 1Password and Vault. Pulumi ESC is available via the new
esc
CLI, Pulumi Cloud, the Pulumi Cloud REST API, and Pulumi IaC stack configuration. -
An environment describes a collection of secrets and configuration values. It is typically intended to capture the configuration needed to work with a particular environment - for example the production environment for your key customer or line of business service.
An environment is represented by a YAML document. This document has two top level entries:
imports
: An optional set of other environments that this environment derives from, enabling composition of environments and avoiding repetition across environments.values
: An arbitrary nested collection of key/value pairs representing top level configuration values. -
Pulumi ESC enables teams to manage hierarchical collections of configuration and secrets (“environments”) and consume them from a variety of different infrastructure and application services. Examples include the management of AWS configurations and secrets, API keys, database credentials, and environment-specific variables such as service endpoints and AWS regions.
-
- AWS OIDC
- AWS Secrets Manager
- Azure OIDC
- Azure KeyVault
- GCP OIDC
- GCP Secrets Manager
-
Pulumi ESC encrypts all data at rest using AWS S3 encryption. All API routes serving the Pulumi ESC API are HTTPS, and authenticated via Pulumi Access Token.
-
Users and automation can authenticate with a Pulumi Access Token. They can use personal, team or organization tokens.
Get started today
Get started today
Follow the Getting Started guide to begin using Pulumi ESC