This is a submission for the Pulumi Deploy and Document Challenge: Shhh, It's a Secret!

What I Built

A serverless secrets manager demo using Pulumi ESC (AWS) to securely retrieve and inject environment variables into a Lambda function. The project demonstrates:

  • Securely storing secrets in Pulumi ESC
  • Fetching secrets programmatically via the Pulumi SDK
  • Injecting secrets into cloud resources without exposing them in code
  • Implementing least-privilege IAM policies

Key Files:

  • __main__.py: Core Pulumi program using ESC SDK
  • secrets-manager.tf: Terraform configuration for ESC integration
  • README.md: Full setup guide & security practices

My Journey

Challenge 1: Initial Setup Complexity

Struggled with ESC authentication until I realized Pulumi Copilot wanted explicit region flags (--region us-west-2).

Key Prompt:

"Show me how to create an AWS secrets manager secret named 'db-creds' with encrypted password field using Pulumi Python SDK"

Breakthrough Moment:

Discovered Pulumi's Output.secret() method automatically encrypts values using ESC master keys – saving 20+ lines of custom encryption code!

Using Pulumi ESC

Why ESC?

  • Centralized secrets management for multi-cloud apps
  • Built-in rotation policies
  • Auditing capabilities via CloudTrail

SDK Magic:

import pulumi_aws as aws

# Retrieve secret without hardcoding
db_password = aws.secretsmanager.get_secret_value(
    secret_id="prod/db-credentials",
    version_stage="AWSCURRENT"
).secret_string.apply(json.loads)["password"]

db_user = aws.secretsmanager.get_secret_value(
    secret_id="prod/db-credentials"
).secret_string.apply(json.loads)["username"]

Security Wins:

  1. Secrets never appear in deployment logs
  2. IAM role strictly limited to secretsmanager:GetSecretValue
  3. Automatic secret version rotation enabled

Documentation Highlights (From README)

Step 1: Enable ESC

pulumi login --cloud-url https://esc.example.com  
pulumi stack init dev

Step 2: Create Secret (via CLI)

aws secretsmanager create-secret \
  --name "prod/db-credentials" \
  --secret-string '{"username":"admin","password":"s3cr3t"}'

Step 3: Deploy Securely

pulumi up --config aws:region=us-west-2

Security Checklist:

✅ Never commit secrets-manager.tf

✅ Use separate stacks for dev/prod

✅ Enable CloudWatch logging for secret access

Why This Matters

Traditional approaches store secrets in:

🚫 Environment variables (leaked in logs)

🚫 Hard-coded configs (commit history nightmares)

🚫 Third-party tools with unknown security postures

Pulumi ESC solves this by:

🔒 Keeping secrets in purpose-built storage

🔑 Providing programmatic access during deployments

📊 Enabling audit trails for compliance

Special Thanks

Shoutout to the Pulumi Community Slack for helping debug IAM policies – special thanks to @infra_ninja for the aws:PrincipalTag tip!

Not bad for a first-time ESC user, right? 🚀