No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Can anyone help me understand where I'd use ESC versus just putting stack specific variables in the stack files or in the global Pulumi.yaml file? (under the `config:` section)?
Also, what's the best practice for storing credentials? E.g. I want to add AWS credentials into my pulumi project that uses ESC and Deployments, how do I do this? I could encrypt them, using `pulumi config set --secret` but then these are added into the stack files. Whereas normally we'd use AWS credentials that are in our local environment (per user).

I guess it can be used to share common configurations across projects

Hello <@U05L2AVUJLT>, the main usage for environments, the ESC way, is to prevent duplication of configuration items over multiple stacks. For instance, if you have multiple stacks that would deploy to the same AWS account, you create an environment and link it to multiple stacks.
Allow Pulumi Cloud as an OIDC provider for your AWS account. In your ESC environment, you configure the ESC `aws-login` provider to fetch short lived credentials:
<https://www.pulumi.com/docs/pulumi-cloud/esc/providers/aws-login/>
Access to environments can also be controlled using Pulumi Cloud's role based access. If people have access to an environment via Pulumi Cloud, they no longer need to have per user AWS credentials setup. Complement this with our new `esc` CLI, and you can run any CLI tool with proper shortlived credentials.
<https://www.pulumi.com/docs/esc-cli/>
Let me know if you have any further questions.

Yes, I would second what Ringo says about deduplication.

But even if that is not a concern for you, the builtin OIDC integration is a game changer. Once you have it configured, you can just `cd` in to a project, run `pulumi up` and ESC automatically acquires short term credentials for you. It is quite magical, and more secure as you don't have to worry about copy/pasting static or long lived creds.

Thank you both, very much appreciated. I will look into OIDC as it sounds like it'll fix one of the bigger pains common to granting access to CI/CD in most cloud environments.
I also understand better now how ESC helps with deduplication. I had previously only worked with 1-1 stack to AWS account so it didn't click for me until you explained.