This is a submission for the Pulumi Deploy and Document Challenge: Shhh, It's a Secret!

What I Built

A context-aware secret injection system that:

  1. Uses Pulumi ESC to bridge secrets between hybrid environments (on-prem + cloud)
  2. Implements policy-as-code for dynamic secret access controls
  3. Auto-generates temporary credentials with TTL using AWS STS
  4. Enforces secrets masking in all CLI outputs

Project Repo

📁 Structure:

.
├── policies/  
│   └── iam-policies.ts     # Least-privilege role templates  
├── secrets/  
│   ├── vault-stack.ts      # Hybrid secret store orchestrator  
│   └── kms-wrapper.ts      # Cross-account KMS encryption  
├── apps/  
│   └── batch-processor/    # Demo app using time-bound secrets  
└── docs/  
    └── SECURITY.md         # Threat model & compliance matrix 🔐

My Journey

Key Breakthroughs:

# Python pseudo-code for hybrid secret resolver
def get_secret(context: str):
    match context:
        case "dev":
            return local_vault.get_secret("dev-db")
        case "prod":
            return sts.assume_role(
                role_arn=aws_iam_role.prod_accessor.arn,
                duration_seconds=3600
            )

Overcoming Complexity:

  • Solved provider-specific secret encoding with custom resource transformers
  • Mitigated leakage risks using Pulumi's --suppress-outputs in CI pipelines
  • Created automated policy testing with Pulumi's preview diff analysis

Using Pulumi ESC

Core Architecture:

// Go SDK example for contextual secret injection
func InjectSecret(ctx *pulumi.Context, env string) error {
    secret := secretsmanager.LookupSecret(ctx, env)
    config.Inject(secret.Value, &pulumi.Config{
        Protector: &pulumi.KmsProtector{Key: "alias/esc-protector"},
    })
    return nil
}

Why This Approach?

  1. Unified secret handling across 7 cloud providers
  2. Real-time policy validation before deployment
  3. Zero-trust networking integration with VPC endpoints
  4. Cost-aware secret lifecycle management

Documentation Highlights

🔍 Discovery Features:

1. `pulumi secret ls --env=prod` - List all production secrets  
2. `pulumi config encrypt --kms-key=alias/esc-master` - Manual encryption  
3. `pulumi secrets audit --days=30` - Compliance reporting

⚠️ Critical Warnings:

+ Never store secret ARNs in unencrypted properties  
+ Always use separate KMS keys for dev/staging/prod  
+ Monitor secret usage with CloudTrail integration

Special Features

🛡️ Secret Version Firewall:

// Auto-reject outdated secret versions
const secretVersion = secretsmanager.getSecretVersion({
    secretId: "my-secret",
    versionId: "OLD_VERSION_HASH"
});

if (secretVersion.createdDate < Date.now() - 90*24*3600*1000) {
    throw new Error("Using deprecated secret version!");
}

🔄 Self-Destructing Credentials:

# Temporary credentials auto-delete after 1 hour
export DB_CREDENTIALS=$(pulumi secret export db-prod \
    --ttl 1h \
    --format=json)

Inspiration & Tools:

Thanks.