Pulumi Makes Cloud Configuration Simple and Secure with Pulumi ESC
Pulumi tames configuration and secrets sprawl with open source and fully managed enterprise product
SEATTLE — October 10, 2023 — Infrastructure as code leader Pulumi today announced Pulumi ESC, a new solution to manage Environments, Secrets, and Configurations for cloud infrastructure and applications. Pulumi ESC enables developers to define reusable environments that combine secrets from multiple sources, including Pulumi IaC, AWS KMS, Azure Key Vault, Google Cloud KMS, OpenID Connect (OIDC) Relying Parties, 1Password, and HashiCorp Vault. Applications can consume these environments from any cloud execution context or tool, including Pulumi, Terraform, Cloudflare Workers, GitHub Actions or Docker. Pulumi ESC gives organizations a central way to define and scale cloud applications, without worry about secrets leaking or credentials needlessly proliferating across developer desktops.
“Pulumi makes it easy to manage infrastructure across complex environments,” said Dennis Sauvé, DevOps Engineer, Washington Trust Bank. “We need to manage an ever-growing number of environments, each with its own configuration and secrets. We are thrilled that Pulumi ESC will help us manage these at scale more robustly with a simple and secure approach.”
Modern cloud applications are dynamic and rely on many different cloud and SaaS services. Every application has multiple development, test, and production environments, often spread across multiple regions. Each environment accesses a multitude of configurations, which include network settings, deployment options, API Keys, and other important secrets, such as database credentials. At scale, this complexity too often leads to sprawl, lack of visibility and control, and improper scope. Without proper tooling, enterprises risk configuration mistakes, leading to unintended leaking of keys and secrets, and improper access to resources that require protection.
Pulumi ESC solves these problems by providing a simple and secure way to manage environments:
- Define Anywhere, Consume Anywhere: ESC can pull configuration and secrets from any source, and consume them in any application. Users can adopt ESC independently of Pulumi’s Infrastructure as Code offerings.
- Identity-Integrated and Auditable: ESC integrates with Pulumi Cloud’s identity and Role Based Access Control (RBAC) facilities, allowing teams finer-grained control over sensitive information. ESC includes deep integration with any SAML IdP including Azure AD, Microsoft Entra ID, Okta, Google Workspace, and many others. ESC fully supports auditing of all changes to the Environments, Secrets and Configurations it manages.
- Static and Dynamic, Short-Lived Secrets: ESC provides facilities for both static and dynamic secrets. Short-lived secrets, like those supported via OIDC, are seen as best practice, yet are not well supported across key systems, forcing teams to use static secrets, which are inherently less secure. ESC makes adopting short-lived, dynamic secrets seamless, combining the security benefits of dynamic solutions with the ease of static configuration.
- Hierarchical and Composable: Multiple environments can be defined and composed together, eliminating “copy and paste errors” and enabling auditability and traceability into shared configuration changes.
- Open Source and Managed: The ESC client SDKs, CLI, and plugins are all open source, and the Pulumi Cloud offers a fully managed experience. Pulumi Cloud can also be self-hosted on-premises behind the firewall or in any public cloud for advanced compliance needs.
“Pulumi already delivers the world’s best way to manage cloud resources. With Pulumi ESC, our community can now bring additional critical aspects of infrastructure management into their Pulumi workflow,” said Luke Hoban, CTO of Pulumi. “We wanted to build a general purpose configuration and secrets management solution that worked seamlessly with any infrastructure or application that could be used by multiple teams, with different roles, within an organization. Every interaction needed a security and auditability guarantee, and I’m incredibly proud of the work our team did to deliver.”
With Pulumi ESC, organizations can improve their security posture while enabling a developer experience that provides maximum productivity and flexibility. Pulumi ESC is available for free as a public preview today with the intent to eventually offer multiple tiered versions, including a free offering and others with advanced Enterprise and Business Critical capabilities. Visit pulumi.com/esc to learn more and sign up today.
“Pulumi IaC simplifies infrastructure management so that our developers can release Fusion, our hardware development platform, fast and reliably,” said Alfred Stappenbeck, Principal Cloud Software Engineer, Stoke Space. “We deliver new features and updates to our customers at a very rapid pace, and we can’t allow configuration sprawl to slow us down. Without a modular configuration model, our teams could lose track of changes and dependencies. We welcome these comprehensive tools to manage our configurations and secrets.”
“Developer workflows for application and infrastructure deployment require many secrets to be readily available to access a variety of tooling,” said Tony Myers, VP of Product Management at 1Password. “We’re excited to partner with Pulumi to provide developers with a solution that ultimately simplifies their workflows and improves security practices. Secrets managed in 1Password can be easily accessed by the right users, while ensuring sensitive values remain protected from unintended leakage into configuration files or chat logs.”
“Today, IT teams need to securely connect everyone and everything. Too often, cloud, SaaS, internet, and on-premise domains are painfully disconnected. Making all these systems talk to each other is simply too difficult,” said Dane Knecht, SVP, Emerging Technology and Incubation at Cloudflare. “We’re excited to be design partners for Pulumi ESC because we are both working to make connectivity possible, eliminating the burden of ad-hoc secrets and configuration management.”
Pulumi lets engineers deliver infrastructure as code faster, using any programming language. The Pulumi Platform enables customers to manage 10x more resources at lower cost than traditional tools, while Pulumi Insights unlocks analytics and search across cloud infrastructure, and enables novel AI-driven infrastructure automation. For more information, visit www.pulumi.com.
Cloudflare, the Cloudflare logo, and other Cloudflare marks are trademarks and/or registered trademarks of Cloudflare, Inc. in the U.S. and other jurisdictions.