-
Notifications
You must be signed in to change notification settings - Fork 224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blog: Why Cloud Engineers need Pulumi ESC #13628
base: master
Are you sure you want to change the base?
Conversation
content/blog/why-every-cloud-engineer-needs-pulumi-esc-secrets-management/index.md
Outdated
Show resolved
Hide resolved
…-management/index.md
content/blog/why-every-cloud-engineer-needs-pulumi-esc-secrets-management/index.md
Outdated
Show resolved
Hide resolved
…-management/index.md
content/blog/why-every-cloud-engineer-needs-pulumi-esc-secrets-management/index.md
Outdated
Show resolved
Hide resolved
…-management/index.md
Your site preview for commit 2ccf62f is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13628-2ccf62fc.s3-website.us-west-2.amazonaws.com. |
Your site preview for commit 5569e2b is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13628-5569e2bb.s3-website.us-west-2.amazonaws.com. |
content/blog/why-every-cloud-engineer-needs-pulumi-esc-secrets-management/index.md
Outdated
Show resolved
Hide resolved
…-management/index.md
Your site preview for commit fc57183 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13628-fc57183a.s3-website.us-west-2.amazonaws.com. |
# for details, and please remove these comments before submitting for review. | ||
--- | ||
|
||
Managing secrets is one of the most critical responsibilities in cloud engineering. Secrets like API keys, database credentials, and encryption tokens are the backbone of secure and seamless cloud operations. However, the complexity of modern cloud-native and multi-cloud environments has made traditional secrets management solutions inadequate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we talk about config too? All cloud engineers need config too, and we seem to forget that in every piece of content.
|
||
## What is Pulumi ESC? | ||
|
||
Pulumi ESC is a secrets management and orchestration service from Pulumi designed to secure sensitive configurations across modern cloud environments. It supports seamless integration, enabling engineers to: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are not an orchestration service, but we are a "broker".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cleverguy25 "broker" doesn't sound as nice. Should we update the docs page too? At the bottom of https://www.pulumi.com/docs/esc/, in the "Why Pulumi ESC?" it says it is an orchestration service.
|
||
### 3. Automated Rotation and Expiry | ||
|
||
Pulumi ESC minimizes security risks by automating the rotation of secrets. This feature aligns secrets management with CI/CD processes for cloud engineers focused on DevOps, ensuring credentials remain valid only when needed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We actually do not do this, yet. It is on the roadmap
|
||
### 4. Secure by Design | ||
|
||
Pulumi ESC follows a "secure by default" model by employing encryption, fine-grained access control, and detailed audit trails. Engineers can meet compliance regulations effortlessly while gaining full visibility into secret access patterns. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would not call our current access control fine grained, it is something we are working on.
|
||
### 5. Language Flexibility | ||
|
||
With SDKs available for Python, Go, JavaScript, and other major languages, cloud engineers can integrate Pulumi ESC directly into their CI/CD pipelines or custom applications. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We only support python, go, and javascript/typescript at the moment.
|
||
Tools should make engineers' lives easier, not harder. Pulumi ESC's CLI, SDKs, and API provide intuitive ways to integrate into existing workflows. For cloud engineers leveraging Infrastructure as Code with Pulumi, managing secrets alongside the stack becomes effortless. | ||
|
||
### Using Pulumi ESC with External Secrets Operator (ESO) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While we should mention ESO, we should also wait and mention the upcoming CSI provider.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When will the upcoming CSI provider be released?
content/blog/why-every-cloud-engineer-needs-pulumi-esc-secrets-management/index.md
Outdated
Show resolved
Hide resolved
content/blog/why-every-cloud-engineer-needs-pulumi-esc-secrets-management/index.md
Outdated
Show resolved
Hide resolved
content/blog/why-every-cloud-engineer-needs-pulumi-esc-secrets-management/index.md
Outdated
Show resolved
Hide resolved
content/blog/why-every-cloud-engineer-needs-pulumi-esc-secrets-management/index.md
Outdated
Show resolved
Hide resolved
Your site preview for commit 884e530 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13628-884e5303.s3-website.us-west-2.amazonaws.com. |
Your site preview for commit abba98e is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13628-abba98e5.s3-website.us-west-2.amazonaws.com. |
content/blog/why-every-cloud-engineer-needs-pulumi-esc-secrets-management/index.md
Outdated
Show resolved
Hide resolved
…-management/index.md
Your site preview for commit f52cf3c is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13628-f52cf3c9.s3-website.us-west-2.amazonaws.com. |
|
||
Pulumi ESC extends its capabilities beyond Pulumi IaC by integrating with other infrastructure tools such as Cloudflare, Terraform, and OpenTofu. These integrations enable seamless provisioning of cloud credentials and input variables directly from ESC environments. | ||
|
||
## Why Cloud Engineers Need Pulumi ESC |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to self: add a config-specific point
Your site preview for commit 5fb5500 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13628-5fb55007.s3-website.us-west-2.amazonaws.com. |
|
||
### Zero Downtime Through Automation | ||
|
||
Manual secrets management often leads to errors such as expired credentials or outdated tokens. Pulumi ESC automates the entire lifecycle of secrets—creation, rotation, replication, and expiry—guaranteeing uninterrupted services. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to self: It doesn't seem like we can't claim this yet... rotation not available yet, check others.
Your site preview for commit 95f8e99 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13628-95f8e99f.s3-website.us-west-2.amazonaws.com. |
ETA February
Note: since Secrets Rotation is supposed to deploy on Jan 31, I will push this article for later in order to include it as it is a big plus.
Proposed changes
Unreleased product version (optional)
Related issues (optional)