This is a submission for the Pulumi Deploy and Document Challenge: Shhh, It's a Secret!

What I Built

A secret management pipeline using Pulumi ESC SDK that:

  1. Securely stores API keys/database credentials in AWS Secrets Manager
  2. Dynamically injects secrets into cloud infrastructure configurations
  3. Demonstrates secure access patterns for serverless applications
  4. Implements RBAC policies through Pulumi's IAM integration

Project Repo

📁 Key files:

.
├── config/
│   └── secrets.ts        # Secret definitions & encryption logic
├── infra/
│   └── vpc-stack.ts      # VPC creation with secret injection
├── apps/
│   └── lambda-app/       # Sample app using retrieved secrets
└── README.md             # Full implementation details 🔒

My Journey

Key Challenges & Solutions:

  • Challenge 1: Ensuring zero secrets exposure in code commits Solution: Implemented git-crypt + automated secret redaction during pulumi preview
  • Challenge 2: Multi-environment secret segregation Solution: Created dynamic secret namespaces based on Pulumi stack names
  • Challenge 3: RBAC enforcement Solution: Used Pulumi's IAM role cloning to create least-privilege policies

Critical Insights:

// Secret rotation pattern example
const dbSecret = new aws.secretsmanager.Secret("db-secret", {
  secretString: JSON.stringify({
    username: "admin",
    password: pulumi.secret(crypto.randomPassword({ length: 20 }))
  }),
  rotationRules: {
    automaticallyAfterDays: 90
  }
});

Using Pulumi ESC

Core Implementation:

# Python example using esc SDK
from pulumi_aws import secretsmanager

def create_secret(name: str, value: str):
    return secretsmanager.Secret(
        name,
        secret_string=value,
        kms_key_id=aws_kms_key["main_key"]["arn"],
        tags={"Environment": current_stack}
    )

Why Pulumi ESC?

  1. Native integration with cloud-native secret managers (AWS Secrets Manager, Azure Key Vault)
  2. Type-safe secret handling through Pulumi's programming model
  3. Immediate visibility into secret dependencies via dependency graphs
  4. Audit trail synchronization with Pulumi's state tracking

Documentation Highlights

🔐 Security Best Practices in README:

1. Always wrap secret values in `pulumi.secret()`  
2. Use separate KMS keys for different environments  
3. Enable secret versioning and automatic rotation  
4. Validate secret access patterns with `pulumi import`

🚨 Troubleshooting Section:

# Common error resolution flowchart
[SecretsManagerAccessDenied] --> Check IAM permissions  
[CredentialRotationConflict] --> Verify KMS key policies  
[ResourceNotFound] --> Confirm region alignment

Special Thanks:

To the Pulumi community for their ESC SDK examples and the ESC team for their exceptional documentation 💡