Pulumi Makes Cloud Configuration Simple and Secure with Pulumi ESC

October 13, 2023 Off By David

Pulumi announced Pulumi ESC, a new solution to manage Environments, Secrets, and Configurations for cloud infrastructure and applications. Pulumi ESC enables developers to define reusable environments that combine secrets from multiple sources, including Pulumi IaC, AWS KMS, Azure Key Vault, Google Cloud KMS, OpenID Connect (OIDC) Relying Parties, 1Password, and HashiCorp Vault. Applications can consume these environments from any cloud execution context or tool, including Pulumi, Terraform, Cloudflare Workers, GitHub Actions or Docker. Pulumi ESC gives organizations a central way to define and scale cloud applications, without worry about secrets leaking or credentials needlessly proliferating across developer desktops.

“Pulumi makes it easy to manage infrastructure across complex environments,” said Dennis Sauvé, DevOps Engineer, Washington Trust Bank. “We need to manage an ever-growing number of environments, each with its own configuration and secrets. We are thrilled that Pulumi ESC will help us manage these at scale more robustly with a simple and secure approach.”

Modern cloud applications are dynamic and rely on many different cloud and SaaS services. Every application has multiple development, test, and production environments, often spread across multiple regions. Each environment accesses a multitude of configurations, which include network settings, deployment options, API Keys, and other important secrets, such as database credentials. At scale, this complexity too often leads to sprawl, lack of visibility and control, and improper scope. Without proper tooling, enterprises risk configuration mistakes, leading to unintended leaking of keys and secrets, and improper access to resources that require protection.

Pulumi ESC solves these problems by providing a simple and secure way to manage environments:

  • Define Anywhere, Consume Anywhere: ESC can pull configuration and secrets from any source, and consume them in any application. Users can adopt ESC independently of Pulumi’s Infrastructure as Code offerings.
  • Identity-Integrated and Auditable: ESC integrates with Pulumi Cloud’s identity and Role Based Access Control (RBAC) facilities, allowing teams finer-grained control over sensitive information. ESC includes deep integration with any SAML IdP including Azure AD, Microsoft Entra ID, Okta, Google Workspace, and many others. ESC fully supports auditing of all changes to the Environments, Secrets and Configurations it manages.
  • Static and Dynamic, Short-Lived Secrets: ESC provides facilities for both static and dynamic secrets. Short-lived secrets, like those supported via OIDC, are seen as best practice, yet are not well supported across key systems, forcing teams to use static secrets, which are inherently less secure. ESC makes adopting short-lived, dynamic secrets seamless, combining the security benefits of dynamic solutions with the ease of static configuration.
  • Hierarchical and Composable: Multiple environments can be defined and composed together, eliminating “copy and paste errors” and enabling auditability and traceability into shared configuration changes.
  • Open Source and Managed: The ESC client SDKs, CLI, and plugins are all open source, and the Pulumi Cloud offers a fully managed experience. Pulumi Cloud can also be self-hosted on-premises behind the firewall or in any public cloud for advanced compliance needs.

“Pulumi already delivers the world’s best way to manage cloud resources. With Pulumi ESC, our community can now bring additional critical aspects of infrastructure management into their Pulumi workflow,” said Luke Hoban, CTO of Pulumi. “We wanted to build a general purpose configuration and secrets management solution that worked seamlessly with any infrastructure or application that could be used by multiple teams, with different roles, within an organization. Every interaction needed a security and auditability guarantee, and I’m incredibly proud of the work our team did to deliver.”

With Pulumi ESC, organizations can improve their security posture while enabling a developer experience that provides maximum productivity and flexibility. Pulumi ESC is available for free as a public preview today with the intent to eventually offer multiple tiered versions, including a free offering and others with advanced Enterprise and Business Critical capabilities. Visit pulumi.com/esc to learn more and sign up today.