Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Blog: Why Cloud Engineers need Pulumi ESC #13628

Open
wants to merge 11 commits into
base: master
Choose a base branch
from

Conversation

SaraDPH
Copy link
Contributor

@SaraDPH SaraDPH commented Dec 13, 2024

ETA February

Note: since Secrets Rotation is supposed to deploy on Jan 31, I will push this article for later in order to include it as it is a big plus.

Proposed changes

Unreleased product version (optional)

Related issues (optional)

@thoward thoward added the area/blog Content issues on blog posts. label Dec 13, 2024
@pulumi-bot
Copy link
Collaborator

@pulumi-bot
Copy link
Collaborator

@pulumi-bot
Copy link
Collaborator

# for details, and please remove these comments before submitting for review.
---

Managing secrets is one of the most critical responsibilities in cloud engineering. Secrets like API keys, database credentials, and encryption tokens are the backbone of secure and seamless cloud operations. However, the complexity of modern cloud-native and multi-cloud environments has made traditional secrets management solutions inadequate.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we talk about config too? All cloud engineers need config too, and we seem to forget that in every piece of content.


## What is Pulumi ESC?

Pulumi ESC is a secrets management and orchestration service from Pulumi designed to secure sensitive configurations across modern cloud environments. It supports seamless integration, enabling engineers to:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are not an orchestration service, but we are a "broker".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cleverguy25 "broker" doesn't sound as nice. Should we update the docs page too? At the bottom of https://www.pulumi.com/docs/esc/, in the "Why Pulumi ESC?" it says it is an orchestration service.


### 3. Automated Rotation and Expiry

Pulumi ESC minimizes security risks by automating the rotation of secrets. This feature aligns secrets management with CI/CD processes for cloud engineers focused on DevOps, ensuring credentials remain valid only when needed.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We actually do not do this, yet. It is on the roadmap


### 4. Secure by Design

Pulumi ESC follows a "secure by default" model by employing encryption, fine-grained access control, and detailed audit trails. Engineers can meet compliance regulations effortlessly while gaining full visibility into secret access patterns.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not call our current access control fine grained, it is something we are working on.


### 5. Language Flexibility

With SDKs available for Python, Go, JavaScript, and other major languages, cloud engineers can integrate Pulumi ESC directly into their CI/CD pipelines or custom applications.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only support python, go, and javascript/typescript at the moment.


Tools should make engineers' lives easier, not harder. Pulumi ESC's CLI, SDKs, and API provide intuitive ways to integrate into existing workflows. For cloud engineers leveraging Infrastructure as Code with Pulumi, managing secrets alongside the stack becomes effortless.

### Using Pulumi ESC with External Secrets Operator (ESO)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While we should mention ESO, we should also wait and mention the upcoming CSI provider.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When will the upcoming CSI provider be released?

@pulumi-bot
Copy link
Collaborator

@pulumi-bot
Copy link
Collaborator

@pulumi-bot
Copy link
Collaborator


Pulumi ESC extends its capabilities beyond Pulumi IaC by integrating with other infrastructure tools such as Cloudflare, Terraform, and OpenTofu. These integrations enable seamless provisioning of cloud credentials and input variables directly from ESC environments.

## Why Cloud Engineers Need Pulumi ESC
Copy link
Contributor Author

@SaraDPH SaraDPH Dec 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to self: add a config-specific point

@pulumi-bot
Copy link
Collaborator


### Zero Downtime Through Automation

Manual secrets management often leads to errors such as expired credentials or outdated tokens. Pulumi ESC automates the entire lifecycle of secrets—creation, rotation, replication, and expiry—guaranteeing uninterrupted services.
Copy link
Contributor Author

@SaraDPH SaraDPH Dec 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to self: It doesn't seem like we can't claim this yet... rotation not available yet, check others.

@pulumi-bot
Copy link
Collaborator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/blog Content issues on blog posts.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants