Pulumi ESC

Centralized Secrets Management & Orchestration

Tame secrets sprawl and configuration complexity securely across all your cloud infrastructure and applications.

A central hub to securely manage all of your environments, secrets, and configurations

  • Stop secret sprawl. Pull and sync secrets and configuration with any secrets store – HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, 1Password, and more – and consume in any application, tool, or CI/CD platform.
  • Trust (and prove) your secrets are secure. Adopt dynamic, short-lived secrets on demand as a best practice. Lock down every environment with RBAC, versioning, and a full audit log of all changes.
  • Ditch .env files. No more copying-and-pasting secrets or storing them in plaintext on dev computers. Developers can easily access secrets via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and SDKs.
  • Use with or without Pulumi IaC. Use Pulumi ESC independently, or use with Pulumi IaC to support storing secrets in config in a more secure way than using plaintext.

“With Pulumi ESC, our developers get dynamic AWS and Azure credentials on-demand. Onboarding new developers is quick and secure, with no more manually filling in .env templates.”

Liam White, Platform Lead

Centrally manage all environments

screenshot of Pulumi ESC management console
Composable

Secrets and configurations are organized into logical groupings called environments. Environments support importing one into another, allowing for easy composability and inheritance of shared secrets and configuration.

Traceable

Never lose track of where configurations are being used. Trace the downstream impact of any secrets or configuration changes to see if they match expectations. 

Versionable

Create different versions of environments, so you can gracefully migrate between breaking configuration changes.

“Pulumi ESC has been a lifesaver for us. It’s nice to throw everything behind an ESC environment and eliminate one-off granting IAM permissions and other issues related to static credentials.”

JK Jensen, Software Engineering Team Lead

Natively integrated with your tools

secrets sources examples diagram
Use any secrets store

Pull and sync configuration and secrets with any secrets store – including HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, 1Password, and more.

Access from anywhere

Consume configuration and secrets in any environment from any application, tool, or CI/CD platform via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and in-code with Typescript/Javascript, Python, and Go SDKs.

Security you can trust (and prove)

Robust Access Controls

Pulumi ESC leverages the same Pulumi Cloud identity, RBAC, Teams, SAML/SCIM, OIDC, and scoped access tokens used for Pulumi IaC to ensure secrets management complies with enterprise security policies.

Fully Auditable

Every time secrets or configuration values are accessed or changed with Pulumi ESC, the action is fully logged for auditing. Logs include who accessed what, the action they took, and even a full record of showing which originating environments accessed values are inherited from.

Dynamic Secrets

Pulumi ESC connects to cloud providers and supporting secrets stores via OpenId Connect (OIDC), allowing it to generate dynamic, short-lived secrets on demand. This ensures secure, just-in-time access and reduces the risk of long-lived credentials being compromised.

Key Features

Centralized secrets management

Access, share, and manage confidential information such as secrets, passwords, and API keys as well as configuration information such as network settings and deployment options.

Secrets orchestration

Pull and sync configuration and secrets from any secrets store and consume in any application, tool, or CI/CD platform.

Composable environments

Environments support importing one into another, allowing for easy composability and inheritance of shared secrets and configuration.

Versionable

Every change to an environment as well as any of its secrets and configuration is versioned, so rolling back or accessing an old version is easy.

RBAC

Role-based access controls (RBAC) makes it easy to secure your secrets and configurations by assigning permissions to users based on their role within your organization.

Dynamic secrets

Connects to cloud providers and supporting secrets stores via OIDC to support generating just-in-time, short-lived credentials that revoke access when the lease expires.

Audit logging

All actions taken on environments, secrets, or configuration values are fully logged for auditing.

Developer-friendly

Developers can easily access secrets via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and in-code with Typescript/Javascript, Python, and Go SDKs.

How Pulumi ESC works

Pulumi ESC architecture diagram
#1

Pulumi ESC organizes secrets and configurations into logical groupings called environments. Each environment can be composed of multiple environments allowing easy inheritance of shared secrets and configuration.

#2

Pulumi ESC supports a variety of secrets stores as sources – including HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, 1Password, and more – and it has an extensible plugin model that allows third-party secret stores.

#3

Pulumi ESC makes it easy to integrate shared secrets and configurations into any application, tool, or CI/CD platform with a CLI, API, Kubernetes operator, and Typescript/Javascript, Python, and Go SDKs. Every value in an environment can be accessed from any execution environment.

#4

Pulumi ESC leverages the same Pulumi Cloud identity, RBAC, Teams, SAML/SCIM, and scoped access tokens used for Pulumi IaC. Every environment is versioned with all changes fully logged for auditing.

Get Started

Try Pulumi ESC today

Centralize and manage secrets securely on any cloud by creating a free Pulumi account.

Documentation

Review our documentation to learn more about Pulumi ESC.