Pulumi ESC

Centralized Secrets Management & Orchestration

Tame secrets sprawl and configuration complexity securely across all your cloud infrastructure and applications.

A central hub to securely manage all of your environments, secrets, and configurations

• Stop secret sprawl. Pull and sync secrets and configuration with any secrets store – HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, 1Password, and more – and consume in any application, tool, or CI/CD platform.
• Trust (and prove) your secrets are secure. Adopt dynamic, short-lived secrets on demand as a best practice. Lock down every environment with RBAC, versioning, and a full audit log of all changes.
• Ditch .env files. No more copying-and-pasting secrets or storing them in plaintext on dev computers. Developers can easily access secrets via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and SDKs.
• Use with or without Pulumi IaC. Use Pulumi ESC independently, or use with Pulumi IaC to support storing secrets in config in a more secure way than using plaintext.

Composable

Secrets and configurations are organized into logical groupings called environments. Environments support importing one into another, allowing for easy composability and inheritance of shared secrets and configuration.

Traceable

Never lose track of where configurations are being used. Trace the downstream impact of any secrets or configuration changes to see if they match expectations. 

Versionable

Create different versions of environments, so you can gracefully migrate between breaking configuration changes. Use any secrets store Pull and sync configuration and secrets with any secrets store – including HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, 1Password, and more.

Access from anywhere

Consume configuration and secrets in any environment from any application, tool, or CI/CD platform via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and in-code with Typescript/Javascript, Python, and Go SDKs.

Security you can trust (and prove)

Robust Access Controls

Pulumi ESC leverages the same Pulumi Cloud identity, RBAC, Teams, SAML/SCIM, OIDC, and scoped access tokens used for Pulumi IaC to ensure secrets management complies with enterprise security policies.

Fully Auditable

Every time secrets or configuration values are accessed or changed with Pulumi ESC, the action is fully logged for auditing. Logs include who accessed what, the action they took, and even a full record of showing which originating environments accessed values are inherited from.

Dynamic Secrets

Pulumi ESC connects to cloud providers and supporting secrets stores via OpenId Connect (OIDC), allowing it to generate dynamic, short-lived secrets on demand. This ensures secure, just-in-time access and reduces the risk of long-lived credentials being compromised.

Features

Centralized secrets management

Access, share, and manage confidential information such as secrets, passwords, and API keys as well as configuration information such as network settings and deployment options.

Secrets orchestration

Pull and sync configuration and secrets from any secrets store and consume in any application, tool, or CI/CD platform.

Composable environments

Environments support importing one into another, allowing for easy composability and inheritance of shared secrets and configuration.

Versionable

Every change to an environment as well as any of its secrets and configuration is versioned, so rolling back or accessing an old version is easy.

RBAC

Role-based access controls (RBAC) makes it easy to secure your secrets and configurations by assigning permissions to users based on their role within your organization.

Dynamic secrets

Connects to cloud providers and supporting secrets stores via OIDC to support generating just-in-time, short-lived credentials that revoke access when the lease expires.

Audit logging

All actions taken on environments, secrets, or configuration values are fully logged for auditing.

Developer-friendly

Developers can easily access secrets via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and in-code with Typescript/Javascript, Python, and Go SDKs.