Pulumi Announces New Secrets Management Tool: Pulumi ESC

Infrastructure as code company Pulumi has announced a new offering called Pulumi ESC for managing environments, secrets, and configurations.

Pulumi ESC is designed to be a consolidation and coordination point for configuration and secrets stored in multiple tools. Pulumi ESC can define an environment that pulls in secrets from multiple sources, including AWS KMS, Azure Key Vault, Google Cloud KMS, OpenID Connect (OIDC) Relying Parties, 1Password, HashiCorp Vault, and Pulumi's own IaC. Applications can then consume these secrets or environment settings in multiple contexts, such as GitHub Actions, Docker, Cloudflare Workers, as well as Pulumi itself.

Pulumi ESC integrates with SAML-based identity providers such as Azure AD, Microsoft Entra ID, Okta, and Google Workspace, as well as Pulumi Cloud. ESC can provide fine-grained controls over access to sensitive information, and auditing of all changes to the environments, secrets and configurations it manages.

There are two other subtle features of Pulumi ESC that I particularly like: support for static and short-lived dynamic secrets, and composable environments with hierarchy support.

Short-lived dynamic secrets are available from OIDC systems, but they tend to be fiddly to configure properly. Some are quite expensive, particularly when used at scale. Other secrets management systems don't really support dynamic secrets, or not well, and teams fall back to using poorly secured static secrets instead.

By making dynamic secrets easier and cheaper to adopt, developers will be more likely to use them, which makes secure secrets management more likely as the default. In my discussions with Pulumi, the team clearly understands that secrets management has to be easy and cheap to adopt or developers will mostly choose other, less secure methods.

Composable environments also makes secrets adoption easier. Developers can reuse existing environment definitions by combining them together to create a new environment. This will cut down on cutting-and-pasting errors and make updates of core secrets common to multiple environments easier and faster. Hierarchy support mimics inheritance structures that many developers are already familiar with, and can help design a modular secrets system that scales well while respecting organisational boundaries.

Enterprises will particularly benefit from Pulumi ESC's ability to play well with other systems they already have without imposing its own opinionated worldview too much. I can see ESC providing a pathway for organisations that want to do better with secrets management but haven't mapped out a full endstate of what good looks like yet. With ESC they can make things better as they learn, with less risk of creating a huge mess to fix once they realise what they should have done earlier.

Secrets management is quite complex, particularly dynamic secrets across multiple disparate environments. With systems inherited from acquisitions or restructurings, or just an earlier phase of organisational development, moving to a One True Way system that controls all secrets management is challenging. I see Pulumi ESC helping organisations with this challenge, and expect these features to be copied by others.

Pulumi ESC is available for free as a public preview today. Pulumi intends to eventually offer multiple paid versions with more with advanced enterprise or business critical capabilities, as well as a free version.

Pulumi is a PivotNine client.