https://pulumi.com logo
#esc
Title
# esc
g

gifted-gigabyte-53859

10/25/2023, 6:53 AM
Can anyone help me understand where I'd use ESC versus just putting stack specific variables in the stack files or in the global Pulumi.yaml file? (under the
config:
section)? Also, what's the best practice for storing credentials? E.g. I want to add AWS credentials into my pulumi project that uses ESC and Deployments, how do I do this? I could encrypt them, using
pulumi config set --secret
but then these are added into the stack files. Whereas normally we'd use AWS credentials that are in our local environment (per user).
I guess it can be used to share common configurations across projects
l

limited-rainbow-51650

10/25/2023, 1:55 PM
Hello @gifted-gigabyte-53859, the main usage for environments, the ESC way, is to prevent duplication of configuration items over multiple stacks. For instance, if you have multiple stacks that would deploy to the same AWS account, you create an environment and link it to multiple stacks. Allow Pulumi Cloud as an OIDC provider for your AWS account. In your ESC environment, you configure the ESC
aws-login
provider to fetch short lived credentials: https://www.pulumi.com/docs/pulumi-cloud/esc/providers/aws-login/ Access to environments can also be controlled using Pulumi Cloud's role based access. If people have access to an environment via Pulumi Cloud, they no longer need to have per user AWS credentials setup. Complement this with our new
esc
CLI, and you can run any CLI tool with proper shortlived credentials. https://www.pulumi.com/docs/esc-cli/ Let me know if you have any further questions.
l

lemon-agent-27707

10/25/2023, 10:30 PM
Yes, I would second what Ringo says about deduplication. But even if that is not a concern for you, the builtin OIDC integration is a game changer. Once you have it configured, you can just
cd
in to a project, run
pulumi up
and ESC automatically acquires short term credentials for you. It is quite magical, and more secure as you don't have to worry about copy/pasting static or long lived creds.
g

gifted-gigabyte-53859

10/26/2023, 2:55 AM
Thank you both, very much appreciated. I will look into OIDC as it sounds like it'll fix one of the bigger pains common to granting access to CI/CD in most cloud environments. I also understand better now how ESC helps with deduplication. I had previously only worked with 1-1 stack to AWS account so it didn't click for me until you explained.