This message was deleted.

I guess it can be used to share common configurations across projects

Hello @gifted-gigabyte-53859, the main usage for environments, the ESC way, is to prevent duplication of configuration items over multiple stacks. For instance, if you have multiple stacks that would deploy to the same AWS account, you create an environment and link it to multiple stacks. Allow Pulumi Cloud as an OIDC provider for your AWS account. In your ESC environment, you configure the ESC

aws-login

provider to fetch short lived credentials: https://www.pulumi.com/docs/pulumi-cloud/esc/providers/aws-login/ Access to environments can also be controlled using Pulumi Cloud's role based access. If people have access to an environment via Pulumi Cloud, they no longer need to have per user AWS credentials setup. Complement this with our new

esc

CLI, and you can run any CLI tool with proper shortlived credentials. https://www.pulumi.com/docs/esc-cli/ Let me know if you have any further questions.

Yes, I would second what Ringo says about deduplication. But even if that is not a concern for you, the builtin OIDC integration is a game changer. Once you have it configured, you can just

cd

in to a project, run

pulumi up

and ESC automatically acquires short term credentials for you. It is quite magical, and more secure as you don't have to worry about copy/pasting static or long lived creds.

Thank you both, very much appreciated. I will look into OIDC as it sounds like it'll fix one of the bigger pains common to granting access to CI/CD in most cloud environments. I also understand better now how ESC helps with deduplication. I had previously only worked with 1-1 stack to AWS account so it didn't click for me until you explained.